ORM Leaking More Than You Joined For

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.elttam.com/blog/leaking-more-than-you-joined-for/
• Blog Title: ORM Leaking More Than You Joined For
• Suggested Section: Pentesting Web -> SQL Injection (new subsection on "ORM Leak / Filter-based Secret Exfiltration") or a new dedicated page under Pentesting Web for "ORM filter/oracle leaks (Django, Beego, Prisma, Entity Framework, OData)"

🎯 Content Summary

This article extends elttam's ORM Leak research by presenting concrete bugs and exploitation patterns in multiple ORMs (Beego, Harbor, Prisma, Entity Framework, OData, and middleware), showing how robust filtering/search features can leak sensitive fields (passwords, salts, tokens, TOTP secrets) or bypass authentication. It preserves a low-level focus on how filter expressions are parsed, how user input is mapped to ORM operators, and how attackers can practically exploit these behaviours.🔧 Technical Details

Beego / Harbor filter expression overwrite via parseExprs bug: Beego’s parseExprs splits filter keys on __ and iterates the segments. If the first segment is a non-relational field (e.g., email) but additional segments look like field names (e.g., password), Beego effectively overwrites the field with the later segment. Thus, an expression like email__password__startswith is interpreted as password__startswith. Any protection that only validates the first segment (e.g., checking email is non-sensitive) can be bypassed by chaining a sensitive field name after it. Attackers can craft field1__field2__op payloads to filter on field2 even when field2 is marked non-filterable, then use response-based oracles to leak its contents.

Bypassing separator-count limits using application-level operator mappings🤖 Agent Actions

Summary:

• Expanded the ORM Injection page with a new Beego/Harbor section, detailing how user-controlled filter expressions and Beego’s parseExprs bug enable secret-leak oracles plus the progression of Harbor’s patches and bypasses.
• Augmented the Prisma coverage with a type-confusion subsection showing how operator objects can be injected through Express parsers/cookies to bypass reset-token validation, and added an Entity Framework & OData section describing reflection-based text helpers and $filter comparison oracles.
• Added general guidance on collation-aware leak strategies and comprehensive detection/hardening advice (including elttam’s Semgrep rules), and updated the references accordingly.

Tests: Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 935
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.elttam.com/blog/leaking-more-than-you-joined-for/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> SQL Injection (new subsection on "ORM Leak / Filter-based Secret Exfiltration") or a new dedicated page under Pentesting Web for "ORM filter/oracle leaks (Django, Beego, Prisma, Entity Framework, OData)"".

Repository Maintenance:

• MD Files Formatting: 935 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0