ORM (Object-Relational Mapping) is a programming technique that allows developers to interact with a database using object-oriented paradigm of a programming language instead of writing raw SQL queries.
In an object-oriented language, you work with objects and classes. An object is an instance of a class, which can have attributes(properties) and methods(functions).
On the other hand, relational databases store data in stables, which consists of rows and columns. Each row representing a record, and each column represents a field of that record.
The ORM works by mapping classes in your code to tables in the database. Each instance of a class corresponds to a row in the table, and each attribute of the class corresponds to a column. ORM Frameworks can provide methods to perform CRUD (Create, Read, Update, and Delete) operations instead of writing SQL queries.
This has some benefits such as productivity as it allows developers to focus on the application logic rather than writing complex SQL queries, maintainability as changes in the database schema can be managed more easily throughout the code base, and security as it often provide protection against SQL Injection attacks by using parameterized queries.
Commonly Used ORM Frameworks:
| Language | Frameworks |
|---|---|
| PHP | Doctrine, Eloquent |
| JAVA | Hibernate, JPA |
| Python | SQLAlchemy, Django ORM |
| C# | Entity Framework |
| Ruby on Rails | Active Record |
Techniques for Testing ORM Injection
Manual code review – This involves manually inspecting the source code to identify raw query methods that incorporate user inputs directly. E.g. Look for whereRaw() or DB::raw() on Eloquent ORM (Laravel) that use raw SQL queries.
Automated scanning – Use security scanning tools that are designed to detect ORM injection vulnerabilities, this kind of tools analyse the codebase to identify patterns that could lead to injection.
Input validation testing – Manually test application inputs by injecting various SQLi payloads to see if they affect the underlying ORM query.
Error-Based Testing – Enter deliberately incorrect or malformed data to trigger errors and gain insights into the underlying queries. E.g. Injecting “’”; into a form field and receiving a SQL error message that exposes part of the query structure,
Frameworks ORM Vulnerable Methods
| Framework | ORM Library | Common Vulnerable Methods |
|---|---|---|
| Laravel | Eloquent ORM | whereRaw(), DB::raw() |
| Ruby on Rails | Active Record | where(“name = ‘#{input}'”) |
| Django | Django ORM | extra(), raw() |
| Spring | Hibernate | createQuery() with concatenation |
| Node.js | Squelize | sequelize.query() |
Framework Identification
Verifying cookies – Frameworks often use unique naming conventions or formats for their session cookies. By examining these cookies, you can gain clues about the underlying technology. E.g. A cookie named ‘laravel_session’ likely indicates a Laravel application.
Reviewing source code – Inspecting the HTML source code of the page can reveal comments, meta tags, or embedded scripts that are specific to certain frameworks. E.g. Comments such as ‘<!– This page is generated by Django –>’ indicate a Django application.
Analyzing HTTP headers – HTTP headers can sometimes provide information about the server and framework used. Tools like Burp Suite or browser developer can be used to inspect these headers.
URL Structure – The structure of URLs can give hints about the framework. Certain routing patterns are unique to specific frameworks.
Login and error pages – Authentication pages and error messages can sometimes reveal the framework used by the application. Some frameworks have distinctive error pages or login form structures.
