ORM Injection
What is ORM Injection?
ORM InjectionAn injection attack against applications using an Object-Relational Mapper that abuses dynamic queries, mass-assignment, or raw query escape hatches to manipulate data access.
ORM injection occurs when developer-controlled, attacker-influenced input reaches an ORM (Hibernate, Entity Framework, SQLAlchemy, ActiveRecord, Sequelize, Prisma, Django ORM, etc.) through APIs that build queries dynamically. Vulnerable patterns include HQL/JPQL concatenation, ActiveRecord's where(string) with interpolation, Sequelize's Op.literal, SQLAlchemy text() with formatted strings, mass-assignment of unintended attributes, and unsafe sort/filter parameters from JSON APIs. Consequences range from classical SQL injection through to authorization bypass and privilege escalation when controls live in the ORM layer. Defenses: use parameterized query builders, strict allowlists for orderable/filterable fields, explicit attribute permitting (strong parameters), and avoid raw query escape hatches for untrusted input.
● Examples
- 01
A Rails app calling User.where("name = '#{params[:q]}'") allowing SQL injection through the ORM.
- 02
A Sequelize endpoint accepting attacker-controlled order parameters that pass through Op.literal.
● Frequently asked questions
What is ORM Injection?
An injection attack against applications using an Object-Relational Mapper that abuses dynamic queries, mass-assignment, or raw query escape hatches to manipulate data access. It belongs to the Attacks & Threats category of cybersecurity.
What does ORM Injection mean?
An injection attack against applications using an Object-Relational Mapper that abuses dynamic queries, mass-assignment, or raw query escape hatches to manipulate data access.
How does ORM Injection work?
ORM injection occurs when developer-controlled, attacker-influenced input reaches an ORM (Hibernate, Entity Framework, SQLAlchemy, ActiveRecord, Sequelize, Prisma, Django ORM, etc.) through APIs that build queries dynamically. Vulnerable patterns include HQL/JPQL concatenation, ActiveRecord's where(string) with interpolation, Sequelize's Op.literal, SQLAlchemy text() with formatted strings, mass-assignment of unintended attributes, and unsafe sort/filter parameters from JSON APIs. Consequences range from classical SQL injection through to authorization bypass and privilege escalation when controls live in the ORM layer. Defenses: use parameterized query builders, strict allowlists for orderable/filterable fields, explicit attribute permitting (strong parameters), and avoid raw query escape hatches for untrusted input.
How do you defend against ORM Injection?
Defences for ORM Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ORM Injection?
Common alternative names include: HQL injection, JPQL injection.
● Related terms
- attacks№ 1084
SQL Injection
A code-injection attack that smuggles attacker-controlled SQL into a database query, letting the attacker read, modify, or destroy data.
- attacks№ 743
NoSQL Injection
An injection attack that manipulates the operators, JSON, or query DSL of a NoSQL database to bypass logic or extract data.
- attacks№ 1106
Stored Procedure Abuse
Exploiting privileged or insecure database stored procedures to execute arbitrary SQL, run OS commands, or escalate privileges from the database layer.
- vulnerabilities№ 653
Mass Assignment
A vulnerability where an application blindly binds client-supplied request fields to internal object properties, letting attackers set fields they should not control.
- appsec№ 538
Input Validation
The server-side check that every untrusted input matches an expected type, length, range, format and value set before being processed by the application.