This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for ORM Injection (OTG-INPVAL-007)"

From OWASP
Jump to: navigation, search
(Black Box testing and example)
(References)
Line 24: Line 24:
  
 
== References ==
 
== References ==
References from Testing for SQL Injection are applicable to ORM Injection http://www.owasp.org/index.php/Testing_for_SQL_Injection#References<br>
+
'''Whitepapers'''<br>
Wikipedia - ORM http://en.wikipedia.org/wiki/Object-relational_mapping<br>
+
* References from Testing for SQL Injection are applicable to ORM Injection - http://www.owasp.org/index.php/Testing_for_SQL_Injection#References
OWASP Interpreter Injection https://www.owasp.org/index.php/Interpreter_Injection#ORM_Injection<br>
+
* Wikipedia - ORM http://en.wikipedia.org/wiki/Object-relational_mapping<br>
 +
* OWASP Interpreter Injection https://www.owasp.org/index.php/Interpreter_Injection#ORM_Injection<br>
  
 
'''Tools''' <br>
 
'''Tools''' <br>
''Popular ORM Tools''<br>
+
* Ruby On Rails - ActiveRecord and SQL Injection http://manuals.rubyonrails.com/read/chapter/43 <br>
Ruby On Rails - ActiveRecord and SQL Injection http://manuals.rubyonrails.com/read/chapter/43 <br>
+
* Hibernate http://www.hibernate.org<br>
Hibernate http://www.hibernate.org<br>
+
* NHibernate http://www.nhibernate.org<br>
NHibernate http://www.nhibernate.org<br>
+
* Also, see SQL Injection Tools http://www.owasp.org/index.php/Testing_for_SQL_Injection#References<br>
Also, see SQL Injection Tools http://www.owasp.org/index.php/Testing_for_SQL_Injection#References<br>
 
  
 
{{Category:OWASP Testing Project AoC}}
 
{{Category:OWASP Testing Project AoC}}

Revision as of 14:38, 21 November 2006

[Up]
OWASP Testing Guide v2 Table of Contents

Brief Summary

ORM Injection is an attack using SQL Injection against an ORM generated data access object model. From the point of view of a tester, this attack is virtually identical to a SQL Injection attack. However, the injection vulnerability exists in code generated by the ORM tool.

Description

An ORM is an Object Relational Mapping tool. It is used to expedite object oriented development within the data access layer of software applications, including web applications. The benefits of using an ORM tool include quick generation of an object layer to communicate to a relational database, standardized code templates for these objects and usually a set of safe functions to protect against SQL Injection attacks. ORM generated objects can use SQL or in some cases a variant of SQL to perform CRUD (Create, Read, Update, Delete) operations on a database. It is possible, however, for a web application using ORM generated objects to be vulnerable to SQL Injection attacks if methods can accept unsanitized input parameters.

ORM tools include Hibernate for Java, NHibernate for .NET, ActiveRecord for Ruby on Rails, EZPDO for PHP and many others (for a reasonably comprehensive list of ORM tools, see http://en.wikipedia.org/wiki/List_of_object-relational_mapping_software).

Black Box testing and example

Blackbox testing for ORM Injection vulnerabilities is identical to SQL Injection testing see Testing for SQL_Injection. In most cases, the vulnerability in the ORM layer is a result of customized code that does not properly validate input parameters. Most ORM software provide safe functions to escape user input. However if these functions are not used and the developer uses custom functions that accept user input, it may be possible to execute a SQL injection attack.

Gray Box testing and example

If a tester has access to the source code for a web application, or can discover vulnerabilities of an ORM tool an test web applications that use this tool, there is a higher probability of successfully attacking the application. Patterns to look for in code include:

Input parameters concatenated with SQL strings, this example using ActiveRecord for Ruby on Rails (though any ORM can be vulnerable)

Orders.find_all "customer_id = 123 AND order_date = '#{@params['order_date']}'"

Simply sending "' OR 1--" in the form where order date can be entered can yield positive results.


References

Whitepapers

Tools


OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents