NoSQL Injection
What is a NoSQL database?
NoSQL (not only SQL) has disrupted the usage of traditional data stores. It has introduced a new concept of data storage which is non-relational unlike the previous storage mechanisms and thus provides looser restrictions inconsistency. It has a document store, graph, and key-value store. Due to the new demand for modern-day applications, there has been wide adoption of NoSQL databases which could conveniently facilitate the distribution of data across numerous servers. NoSQL databases give an avenue for wide scalability, and they require a single database node to perform all operations of the same transaction
NoSQL databases have been existing for a while now, but the term acquired wider popularity in early 2009. There are different types and instances of NoSQL databases, some are listed below:
Some ways NoSQL databases differ from more traditional SQL databases are:
- Dynamic scheme
- Fields can be edited or modified to documents on the fly without affecting the rest of the data
- Horizontal scalability
- No structured query language
By far the most extensively used NoSQL database is MongoDB.
SQL Injection Attacks vs. NoSQL Databases Like MongoDB
SQL injection is a well-known vulnerability. SQL is a language where users can run queries into and out of a database and recover data using logical operators. Because these searches regularly involve user-supplied data, they may be vulnerable to an injection attack if the input is not sanitized properly.
SQL is not used to conduct queries in NoSQL databases; however, NoSQL queries are not immune to injection. Because queries still contain user-supplied data, failing to properly sanitize this data may lead to dangerous consequences.
Finding the injection
To begin with, it’s key to find where the application is ingesting any user supplied data. In other words, data that can be controlled by an external user. Some examples include:
- Filtering or search forms
- Authentication forms
- Headers and cookies
Some input parameters may be directly used in the back-end database query, so it’s worth trying to modify the values to trigger an error or an unexpected behavior.
Some input characters that may break the query are listed below:
‘ “ \ ; { } ( )NoSQLMap can sometimes be leveraged to catch the low-hanging fruit, although more advanced cases almost always require manual testing, static analysis, and code review.
Commonly used operators in NoSQL injection vulnerabilities include:
- $eq = Equal to
- $ne = Not equal to
- $gt = Greater than
- $regex = Regular expression
- $It = Less than
- $in = Check if the required data is present in a data structure such as pointer or array, etc.
NoSQL Injection
To simulate this vulnerability, we used the “OWASP juice shop vulnerable” application.
In this application, after authentication, users are allowed to submit a review for a product. Once the review is submitted, users only have permission to edit their own reviews, and not reviews given by other users of the application.
For example, in this application, the user has an email id: bender@juice-sh.op
Step 1: User clicks on any one product and submits a review.
Step 2: After submitting the review, user clicks on edit and make changes in the proposed review.
Step 3: Intercept the request using Burp Suite i.e., after editing the review. By looking at the request, notice that each review has its own unique alphanumeric ID value:
Step 4: Remove the Id parameter and add a simple NoSQL injection payload ($ne:-1). This will ensure that the Id supplied is not equal to the Id value specified, i.e., -1.
Step 5: Refresh the web page. Note that the NoSQL injection payload executes and alters all reviews, that were previously submitted by other users of the application.
Mitigation
- Validate input to detect the malicious parameter, keeping in mind to also validate input types against expected types.
- Don’t construct queries from strings, use safe APIs along with prepared statements.
- To minimize the potential harm of a successful injection attack, do not allocate DBA or admin-type access rights to your application accounts.
From MongoDB documentation:
You can express most queries in MongoDB without JavaScript and for queries that require JavaScript, you can mix JavaScript and non-JavaScript in a single query. Place all the user-supplied fields directly in a BSON field and pass JavaScript code to the $where field.
You can disable all server-side execution of JavaScript in MongoDB by passing the — noscripting option on the command line or setting security.javascriptEnabled in a configuration file.
References
- https://www.mongodb.com/docs/manual/faq/fundamentals/#how-does-mongodb-address-sql-or-query-injection
- https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection.html
- https://www.mongodb.com/docs/v4.0/faq/fundamentals
“Join us on our journey of growth and development by signing up for our comprehensive courses, if you want to excel in the field of cybersecurity.”
Connect with us: Cyber Security Services, LinkedIn, Twitter, Facebook
