What I would like to show you is a simple technique that can be effectively used against modern web applications, such as those written on top of NodeJS and MongoDB. In essence, this technique is very similar to SQL Injection (SQLI) although much simpler because we do not have to complete any weird and complicated strings.
Before I move on, I would like to state that although I talk about NodeJS, in the examples below I use ExpressJS, which is the most popular web framework for node and a de facto standard in the NodeJS community.
As part of our MongoDB Guide, we’ve compiled this cheat sheet of common and not-so-common MongoDB commands. (This article is part of our MongoDB Guide. Use the right-hand menu to navigate.) Table of Contents. Pretty Print Create Collection Create Indexes Create index Create sparse index Create compound index Create geo index Create partial index. Here is a list of the most useful and best SQL injection tools: 1. SQLMap is the open source SQL injection tool and most popular among all SQL injection tools available. It is also one of the most SQL injection tool for Windows OS. JSQL Injection tool is a Java based Tool For Automatic Database SQL Injection.
The following table presents the various SQL statements and the corresponding MongoDB statements. The examples in the table assume the following conditions: The SQL examples assume a table named users. The MongoDB examples assume a collection named users that contain documents of the following prototype.
The SQL Injection Primer
The first thing you learn when studying SQL Injection is how to create true statements. Let's consider the following example SQL statement that is used to authenticate the user when the username and the password are submitted to the application:
If this statement is not prepared or properly handled when constructed, an attacker may be able to place ' or 1=1-- in the username field in order to construct a statement that looks more or less like the one bellow, which is known as the classic login bypass via SQLI:
Even today, this classic attack and its variations are wildly used to detect the presence of improper handling of SQL statements.
The MongoDB Injection Primer
Now, even though SQL Injection is still a popular attack vector, it is no longer as widespread as it used to be. Many modern web applications opt in to use a much simpler storage mechanism such as the one provided by NoSQL databases like MongoDB. NoSQL databases not only promise simplified development but also improved security by eliminating the SQL language entirely and relaying on much simpler and structured query mechanism that is typically found in the face of JSON and JavaScript.
The SQL statement that we used above to query the user login details will be written like this in MongoDB:
As you can see we no longer deal with a query language in the form of a string therefore one would think that injection is no longer possible. And of course, as it is always the case with security, they will be wrong because there are many factors at play.
For example, if we assume that the username field, or parameter if you like, is coming from a deserialized JSON object, manipulation of the above query is not only possible but inevitable. Such as, if one supplies a JSON document as the input to the application, an attacker will be able to perform the exact same login bypass that was before possible only with SQL injection:
The actual vulnerable handler of the request will look more or less like this:
In the above ExpressJS handler, the username and password fields are not validated to ensure that they are strings. Therefore, when the JSON document is deserialized, those fields may contain anything but strings that can be used to manipulate the structure of the query. In MongoDB, the field $gt has a special meaning, which is used as the greater than comparator. As such, the username and the password from the database will be compared to the empty string ' and as a result return a positive outcome, i.e. a true statement.
The request to exploit this vulnerability will look more or less like the one bellow. Use this link to open the request in Rest:
Taking NodeJS and MongoDB Exploitation Further
In the example above I deliberately choose to use JSON as the transport mechanism because it makes this attack easier to explain. While, it is not unusual to see JSON documents as the communication mechanism, they are not as widespread as url-encoded key-value pairs, simply known as urlencoding. One would think that if you just use body and query parameters in urlencoding format than you will be safe.
In ExpressJS we can still achieve the bypass effect without using JSON at all but simple query strings. For example, we can submit a request like the one illustrated bellow. Use this link to open the request in Rest:
The string username[$gt]= is a special syntax used by the qs module (default in ExpressJS and the body-parser middleware). This syntax is the equivalent of making an JavaScript object/hash with a single parameter called $gt mapped to no value. In essence, the request above will result into a JavaScript object that looks like the one illustrated bellow:
If you compare this object with the one that we used in the previous example, you can see that logically they are the same.
Mongodb Cheat Sheet Pdf
Once again, we have defeated the authentication mechanism to login as the first user in the database which is probably the administrator. This technique can be extended even further with additional MongoDB operators as per the official documentation here.
Learning By Example
I believe that the best way to learn new things is to experience them first hand. Therefore, I have created two projects that illustrate this vulnerability in practice. The first project uses normal urlencoded form values while the second project uses JSON (AngularJS).
Both projects can be found on our GitHub portal here and here. You need docker in order to run them. I will save myself the trouble going into details about how docker works. Just read the projects' README file for more information.
Testing For MongoDB Injection
I hope you now have a good idea the kind of attacks we can perform against NodeJS and MongoDB applications. In practice, I have seen a great success using the technique above and its variations when performing manual investigations. However, I am also a big fan of automation so, for the fans of Websecurify Suite, I have personally incorporated these tests in both Formfuzz and Jsonfuzz tools.
To make it simpler, I have implemented a new escapemode command called use_mongodb_payloads. Once you execute the command, the fuzzer will not only use MongoDB specific payloads but also do mutation of the query to achieve maximum depth.
Once the escapemode command is executed, the fuzzer will produce requests similar like the one illustrated on the screenshot bellow. As you can clearly see we bypassed the login screen in just a few seconds by using the Formfuzz fuzzer.
I hope this post helps you get some understanding about the kind of problems you may experience if you are using NodeJS and MongoDB together. Wyse systems (india) driver download for windows. In a follow-up post I will go in depth about other security issues effecting both platforms. If you have any specific questions, do not hesitate to get in touch. We are here to help.
If you’re an application developer, DBA, or any flavor of technologist, really, code injection should be on your radar. Drivers vivitar.
You have a secure cloud environment. You have database access locked down. But what about your application code? Although it’s considered more secure, the “No” in NoSQLi does not mean un-injectable! NoSQL can be just as susceptible to code injection as any other database code. Not guarding against code injection is like having a security system in place for your doors and leaving a back window open.
What is code injection?
Code injection is simply unvalidated data being added (“injected”) into a vulnerable program where it’s executed as application code, often to disastrous results.
SQLi is one of the most common types of injection and, at over a decade old, is still going strong. Injection issues aren’t limited to just database languages: Beyond SQL and NoSQL, injection can occur in XPath, XML Parsers, SMTP headers, and a wide variety of other contexts. And as far as severity goes, code injection is a cousin to RCE (remote code execution) — the “Game Over” screen of penetration testing.
Mongodb Query Language Cheat Sheet
That’s why it’s important to detect and prevent NoSQLi in your own applications. Allowing an unmitigated injection vector can threaten the safety of your user base, representing a possible business-ending loss of trust. Fortunately, once you understand the mechanics, there are simple, concrete steps you can take to both detect and prevent NoSQLi vulnerabilities in your own services.
Simple NoSQLi Examples
Typically, MongoDB ingests BSON data (Binary JSON) constructed using a secure BSON query construction tool. But in certain cases, MongoDB can also accept unserialized JSON and Javascript expressions — like in the case of the $where operator.
As with SQL, the $where operator is ripe for abuse and potential injection in NoSQL. However, unlike in SQL, the NoSQL $where expresses its conditional in Javascript. This means it can use the full expressive power of JS to craft possible injection queries instead of being limited to what SQL provides.
Going through lists of MongoDB injection strings in public repos like this one illustrates some of the common injection strategies, which parallel similar vulnerabilities in SQL and other languages.
For example, some use the classic 1 1 expression to force a query to return a truthy value in an attempt to read hidden (or admin-level) resources and privileges:
Mongodb Vs Sql Performance
Other snippets emulate a blind injection strategy by using the sleep() function to slow the DB down and create a side-effect that — when used in conjunction with craftily-designed filters — can enumerate oftentimes sensitive information:
And then of course there’s plain old data exfiltration, where the injected query is trying to match and retrieve critical information directly (and not through a programmatic game of “Guess Who”).
Sinosun motherboards driver download for windows. After the first example, the remaining two don’t use the $where operator, proving that you don’t need a handy Javascript-flavored expression as a foothold to attack a NoSQL DB.
Preventing NoSQLi
There are several general strategies to pursue when trying to build a NoSQLi-resistant application architecture. It’s no surprise that they conform with general anti-injection advice.
MongoDB / NoSQLi is not special
There’s a weird school of thought where people see injection as being SQL-specific and don’t understand the validity of injection principles applied to other contexts. Hopefully this post convinces you that NoSQLi is real. There’s a reason people write posts with titles like “MongoDB will not prevent NoSQL injections in your Node.js app”
Do not trust unvalidated user data
Don’t trust users! Ever! Even a bit!
This is a truism to the point of being a cliche in security, but expect every input to be probed with malicious intent. To borrow from our $where example earlier, it illustrates pretty clearly why we can’t do something along the lines of $where: unvalidated_input — even if we only think we’re exposing the filter to the user at this point (bad enough!) the fact that users are introducing unvalidated data into the larger query is a total no-no.
Be wary of language/integration specifics
Even though NoSQLi isn’t special when it comes to being immune to injection (and in fact suffers from many of the same types of attacks), that doesn’t mean there aren’t also strategies unique to NoSQLi — or even to the languages / components built on top of a NoSQL DB. A prominent example is that since $where is formatted in a way that passes as a PHP variable, a NoSQL DB built on top of a PHP application has to account for this and the possible scenario of a malicious string injection stored in $where.
Conclusion
Again, the “No” in NoSQLi does not mean un-injectable! NoSQL — similar to SQL, SMTP headers, XML, and a million other contexts — is just as susceptible to code injection and the general treating-things-as-application-code-that-aren’t-application-code pitfalls that plague so many other technologies.
Hopefully though, with this post, you’ve gained a greater understanding of NoSQLi, what it means to your business. Now, you can steer your code to processes that make it less prevalent, less widespread, and less impactful. If you need some MongoDB management advice to make sure your app and hosting environment is secure, ObjectRocket has experienced DBAs who can help.
If you’d like to read more of Joe’s writing on security, code injection, or penetration testing, check out his new guide, Hands-On Bug Hunting for Penetration Testers. You can follow him at joecmarshall.com