Data Transfer Object Injection

DataTransferObjectInjection is a programming error which results in security holes. It is to RemoteObjectService based applications which use object graphs what SqlInjection is to applications which use databases.

DataTransferObjectInjection can happen when there is a RemoteObjectService that allows a client system to send an object graph that is automatically converted by an ObjectRelationalMapper into SQL statements.

Instead of sending a valid object graph, the attacker can send a different object graph representing alterations to the database that go well beyond his security level. For example, a RemoteObjectService may receive an object graph that represent changes in the objects that represent new users, or new permissions granted to existing users of the system.

To prevent this problem it should be possible to specify, at the ObjectRelationalMapping level, which entities can be saved by the current user. Many object-relational mappers and XmlRelationalMappers? automatically write the changes represented by the object graph to the database, without caring if the current application user has the privileges required to persist those objects.

We can not rely on RDBMS security, because most RemoteObjectServices use the same user for all calls. Unfortunately, connecting with a different user for each remote object service would be bad for connection pooling performance.

I wonder if this is a common problem and/or if it generally goes unnoticed.


This should not be confused with DependencyInjection or InversionOfControl.


See ObjectRelationalMapping, SqlInjection


EditText of this page (last edited July 4, 2009) or FindPage with title or text search