Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Beego is a popular Object Relational Mapper (ORM) in Golang. Its filtering syntax is heavily based on Django ORM. Because of these similarities, techniques from the Django ORM article plORM worked on Golang as well. The main requirement was the ability to control the filterExpression fully.

They decided to check out GitHub for vulnerable projects using SourceGraph. With a simple search, they ended up on Harbor. A user-controlled query parameter was being concatenated to the key of a filter with __icontains field. By using email as the input, it would return all email addresses. Additionally, it would be possible to filter based on internal sensitive fields like password and salt.

The Harbor team tried patching this by limiting what fields could be put in the filter. The authors of this post noticed that if a__b was used, then b would be parsed by the ORM but the filtering engine would see a. The second patch tried to limit the amount of __ in the filter. This was bypassed by using the concatenation described above to only have a single __ in the input, but actually use two in the real filter.

The authors claim that these issues are common in their client engagements and in bug bounty targets. Overall, a good post on an ORM leak issue that somewhat resembles NOSQL injection.