Re: Hibernate Query Language

[Andrew van der Stock <vanderaj () greebo net>]

In Hibernate, the main thing to look for is the use of session.find 
(). This is a thin layer over the top of the SQL driver, and can be  
used in a traditional injection method.

The example I used in OWASP 2.0 is:

Dangerous:

Payment payment = (Payment) session.find("from com.example.Payment as  
payment where payment.id = " + paymentIds.get(i));

The above Hibernate HQL will allow SQL injection from paymentIds,  
which are obtained from the user. A safer way to express this is:

int pId = paymentIds.get(i);
TsPayment payment = (TsPayment) session.find("from  
com.example.Payment as payment where payment.id = ?", pId, StringType);

For this reason, this interface is marked as being "deprecated", but  
I see it a lot in code reviews as it's so handy.

thanks,
Andrew

On 10/11/2005, at 6:33 PM, alfredhitchcock_007 () yahoo com wrote:

> Hi All,
>
> I am being tasked to do a comprehensive security audit for a java  
> application. This java application is using Hibernate Query  
> Language (HQL). Does anybody have an idea about vulnerable API's in  
> HQL? How do I find out vulnerable SQL constructs in this language?
>
> I am thorough with SQL Injection where Dynamic queries and normal  
> stored procedures are being used. But HQL uses different API's to  
> construct the SQL query. Can anybody help me in identifying  
> potential issues with HQL?