Input Validation / ORM Injection

Description

ORM Injection is a type of injection attack that occurs in web and API applications when user input is not properly validated before being used in an ORM query. The Common Weakness Enumeration directory identifies this vulnerability under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)). This type of attack allows an attacker to inject malicious SQL code into a query, potentially allowing the attacker to gain access to sensitive data or modify the database. According to the OWASP Testing Guide, ORM injection is a subset of SQL injection, and the techniques for testing for it are the same.

Risk

ORM Injection is a serious vulnerability that can lead to data loss, website defacement, and the disruption of services. An attacker can gain access to sensitive data in the database, modify the database, or even delete the data. The attack can also be used to escalate privileges, allowing the attacker to access parts of the website or application that are normally restricted.

Solution

To prevent ORM Injection attacks, user input must be validated before being used in an ORM query. Input should be checked to ensure that it is valid and is of the expected type. Additionally, any user-supplied data should be escaped to prevent malicious code from being injected into the query.

Example

The following code is an example of a vulnerable ORM query taken from the CVE directory.

query = session.query(User).filter_by(name=request.args.get('name'))

In this example, the user input is not escaped before being used in the query. This allows an attacker to inject malicious code into the query, potentially allowing them to gain access to sensitive data or modify the database.