CAPEC-109: Object Relational Mapping Injection

Description

An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject their own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.

Extended Description

The adversary uses an XSS attack to have victim's browser sent an HTTP TRACE request to a destination web server, which will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. Since the HTTP header of the original HTTP TRACE request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get their malicious script to issue an HTTP TRACE request to the destination system's web server.

Severity :

High

Possibility :

Low

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-66: SQL Injection SQL Injection

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

An application uses data access layer generated by an ORM tool or framework
An application uses user supplied data in queries executed against the database
The separation between data plane and control plane is not ensured, through either developer error or an underlying weakness in the data access layer code generation framework

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Medium Knowledge of general SQL injection techniques and subtleties of the ORM framework is needed

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

None: No specialized resources are required to execute this type of attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-20: Improper Input Validation

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-564: SQL Injection: Hibernate

Visit http://capec.mitre.org/ for more details.