logo

SQL Injection: Hibernate

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when an application uses Hibernate to construct dynamic SQL queries with unsanitized user input, allowing an attacker to alter the query's logic or execute unauthorized SQL commands.

Extended Description

Hibernate is a popular Object-Relational Mapping (ORM) framework for Java, designed to simplify database interactions. However, when developers bypass its parameterized query mechanisms and directly concatenate user-controlled data into Hibernate Query Language (HQL) or Criteria API statements, it creates the same injection risks as traditional SQL. Attackers can exploit this by injecting malicious code through form inputs, URLs, or other data channels, potentially leading to data theft, corruption, or full system compromise. To prevent this, always use Hibernate's parameter binding features, such as named parameters (:param) or positional parameters (?), which ensure input is treated as data, not executable code. Additionally, adopt the principle of least privilege for database accounts, validate and sanitize all input on the server side, and use Hibernate's built-in escaping functions for any dynamic elements. Regular security testing, including automated DAST/SAST scans and manual code reviews focused on query construction patterns, is essential for identifying and remediating these flaws early in the development lifecycle.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Read Application DataModify Application Data
Potential Mitigations 5
Phase: Requirements
A non-SQL style database which is not subject to this flaw may be chosen.
Phase: Architecture and Design
Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data.
Phase: Architecture and Design
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid Client-Side Enforcement of Server-Side Security. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Phase: Implementation
Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack.
Phase: Implementation
Use vigorous allowlist style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request.
Demonstrative Examples 1
The following code excerpt uses Hibernate's HQL syntax to build a dynamic query that's vulnerable to SQL injection.

Code Example:

Bad
Java
java
Applicable Platforms
Languages:
SQL : Often
Technologies:
Database Server : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
ChildOf: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
ChildOf: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Taxonomy Mapping
  • Software Fault Patterns