WebApp Sec mailing list archives

RE: Hibernate Query Language

From: "Benjamin Livshits" <livshits () cs stanford edu>
Date: Thu, 10 Nov 2005 11:50:59 -0800

I don't recall the details at this point, but there are other vulnerarable
methods as well in Hibernate 2.0 that became depricated by version 3.
Methods, Session.iterate(String,...) and Session.delete(String,...) are good
examples. Session.find is probably most common. 

Potentially, all methods in the API that take a String query parameter are
vulnerable, though.

-Ben

-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj () greebo net] 
Sent: Thursday, November 10, 2005 1:50 AM
To: alfredhitchcock_007 () yahoo com
Cc: webappsec () securityfocus com
Subject: Re: Hibernate Query Language

In Hibernate, the main thing to look for is the use of 
session.find (). This is a thin layer over the top of the SQL 
driver, and can be used in a traditional injection method.

The example I used in OWASP 2.0 is:

Dangerous:

Payment payment = (Payment) session.find("from 
com.example.Payment as payment where payment.id = " + 
paymentIds.get(i));

The above Hibernate HQL will allow SQL injection from 
paymentIds, which are obtained from the user. A safer way to 
express this is:

int pId = paymentIds.get(i);
TsPayment payment = (TsPayment) session.find("from 
com.example.Payment as payment where payment.id = ?", pId, 
StringType);

For this reason, this interface is marked as being 
"deprecated", but I see it a lot in code reviews as it's so handy.

thanks,
Andrew

On 10/11/2005, at 6:33 PM, alfredhitchcock_007 () yahoo com wrote:

Hi All,

I am being tasked to do a comprehensive security audit for a java 
application. This java application is using Hibernate Query

Language

(HQL). Does anybody have an idea about vulnerable API's in

HQL? How do

I find out vulnerable SQL constructs in this language?

I am thorough with SQL Injection where Dynamic queries and normal 
stored procedures are being used. But HQL uses different API's to 
construct the SQL query. Can anybody help me in identifying

potential

issues with HQL?

Current thread:

Hibernate Query Language alfredhitchcock_007 (Nov 10)
- Re: Hibernate Query Language Andrew van der Stock (Nov 10)
  - RE: Hibernate Query Language Benjamin Livshits (Nov 10)
- Re: Hibernate Query Language ThorOdino () X-Planet org (Nov 10)