Detailedlikelihood: Lowseverity: HighDraft

CAPEC-109Object Relational Mapping Injection

Abstraction
Detailed
Status
Draft
Likelihood
Low
Severity
High

Description

An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject their own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.

Related weaknesses· 3

CWE-20CWE-89CWE-564

Related attack patterns· 1

CAPEC-66 (ChildOf)

Exploits3

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-89100%live
WeaknessSQL Injection: Hibernatecwe-564100%live
WeaknessImproper Input Validationcwe-20100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
SQL Injection
CWE
SQL Injection: Hibernate
CAPEC
Object Injection
CAPEC
SQL Injection through SOAP Parameter Tampering
CAPEC
XML Injection
CAPEC
Reflection Injection
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.