CWE-564 Variante Incompleto

SQL Injection: Hibernate

This vulnerability occurs when an application uses Hibernate to construct dynamic SQL queries with unsanitized user input, allowing an attacker to alter the query's logic or execute unauthorized SQL…

Definición

What is CWE-564?

This vulnerability occurs when an application uses Hibernate to construct dynamic SQL queries with unsanitized user input, allowing an attacker to alter the query's logic or execute unauthorized SQL commands.
Hibernate is a popular Object-Relational Mapping (ORM) framework for Java, designed to simplify database interactions. However, when developers bypass its parameterized query mechanisms and directly concatenate user-controlled data into Hibernate Query Language (HQL) or Criteria API statements, it creates the same injection risks as traditional SQL. Attackers can exploit this by injecting malicious code through form inputs, URLs, or other data channels, potentially leading to data theft, corruption, or full system compromise. To prevent this, always use Hibernate's parameter binding features, such as named parameters (:param) or positional parameters (?), which ensure input is treated as data, not executable code. Additionally, adopt the principle of least privilege for database accounts, validate and sanitize all input on the server side, and use Hibernate's built-in escaping functions for any dynamic elements. Regular security testing, including automated DAST/SAST scans and manual code reviews focused on query construction patterns, is essential for identifying and remediating these flaws early in the development lifecycle.
Impacto en el mundo real

Real-world CVEs caused by CWE-564

Todavía no hay CVEs públicos enlazados a esta CWE en el catálogo de MITRE.

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    Identifica una ruta de código que maneje entrada no confiable sin validación.

  2. 2

    Crea un payload que ejercite el comportamiento inseguro — inyección, traversal, overflow o abuso de lógica.

  3. 3

    Envía el payload a través de una solicitud normal y observa la reacción de la aplicación.

  4. 4

    Itera hasta que la respuesta filtre datos, ejecute código del atacante o escale privilegios.

Ejemplo de código vulnerable

Vulnerable Java

The following code excerpt uses Hibernate's HQL syntax to build a dynamic query that's vulnerable to SQL injection.

Vulnerable Java 
String street = getStreetFromUser();
  Query query = session.createQuery("from Address a where a.street='" + street + "'");
Ejemplo de código seguro

Secure pseudo

Seguro pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-564

  • Requirements A non-SQL style database which is not subject to this flaw may be chosen.
  • Architecture and Design Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data.
  • Architecture and Design For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
  • Implementation Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack.
  • Implementation Use vigorous allowlist style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request.
Señales de detección

How to detect CWE-564

SAST High

Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.

DAST Moderate

Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.

Runtime Moderate

Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.

Code review Moderate

Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-564 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-564?

This vulnerability occurs when an application uses Hibernate to construct dynamic SQL queries with unsanitized user input, allowing an attacker to alter the query's logic or execute unauthorized SQL commands.

¿Qué gravedad tiene CWE-564?

MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.

¿Qué lenguajes o plataformas se ven afectados por CWE-564?

MITRE lists the following affected platforms: SQL, Database Server.

¿Cómo puedo prevenir CWE-564?

A non-SQL style database which is not subject to this flaw may be chosen. Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data.

¿Cómo detecta y corrige Plexicus CWE-564?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-564 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-564?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/564.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-564

CWE-89 Padre

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

SQL Injection occurs when an application builds a database query using untrusted user input without properly sanitizing it. This allows an…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo