# Object Relational Model (ORM)

Direct user input through the ORM may contain vulnerabilities we can exploit.
There are vulnerabilities similar to raw SQL queries, when not validating and
sanitizing properly.

During static code analysis, check the following vulnerable methods.

The payload is essentially the same as in pure SQL injections.

**Python Django**

```python
extra()
raw ()
```

**Node.js Sequelize**

```javascript
sequelize.query()
```

**PHP Eloquent ORM**

```PHP
whereRaw()
DB::raw()
```

**Ruby on Rails Active Record**

```ruby
where("name = '#{input}'")
```

**Java Spring Hibernate**

```Java
createQuery()
```

## Identify the Framework in Use

Check the website's cookies and HTTP headers. Review the page source and see if
you can find indicators like links and version numbers. Look for error messages
sent as a response to the queries.