In this blog, we will be discussing the NoSQL Injection Vulnerability and its exploitations scenarios.
Before getting into the details of NoSQL injections, let us first see the difference between SQL (Structured Query Language) and NoSQL (Not Only Structured Query Language) databases.
There are multiple NoSQL databases available in the market, such as
Mongo DB stores the document in a JSON object (JavaScript object notation), mainly used for document databases.
The NoSQL injection is a vulnerability that occurs due to improper input validation. It allows attacker users to view or change backend data to which they do not have access. It happens at the application layer, and successfully exploiting this vulnerability could allow an attacker to gain full access to the data present in the database. Also, an attacker could run malicious queries, which could hamper confidentiality, integrity, and availability of data present in the database.
Now let us explore NoSQL injection in detail. NoSQL injection vulnerability is much similar to the traditional SQL injection vulnerability.
NoSQL databases were created to eliminate SQL injection problems in SQL databases and were considered highly secure compared to SQL databases. However, an injection is still possible in the case of NoSQL databases due to misconfiguration and loopholes left open during the development phase. In this blog, we will be focusing specifically on Mongo DB.
Below mentioned is an example of the simple query used for the authentication process in Mongo DB.
db.user_auth.find({Username: username, Password: password});
The query shown above is used for authenticating a user. In this query, user input such as username and password is directly used without input validation, thus allowing an attacker to inject data structures such as arrays, etc., mongo DB operators instead of a valid username and password. This data is either sent using JSON object or URL parameter.
Below shown is the expected JSON object by the application:
{ Username: “username”, Password: ”password” }
JSON object after injecting authentication bypass NoSQL payloads:
{ Username: { $ne: ”” }, Password: { $ne: ”” } }
Request to the mongo DB could be sent in two ways:
In this case, the payload is injected along with parameter names within a data structure like an array containing operators inside it.
Example:
POST /login HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Content-Length: 27 user=admin&password[$ne]=
In the case of a JSON object, a payload can be inserted directly into the value field.
Example:
POST /login HTTP/1.1 Host: target.com Content-Type: application/json Content-Length: 38 { “username”: “admin”, “Password”: {'$ne': “”} }
Data such as username, password, secrets, etc., could be easily gathered using the $regex operator.
$regex operator makes use of regular expression using which an attacker could quickly check the length of the data, check if the data starts with a particular character, etc.
Example: In this case, $regex is used to guess the find the length of the password if the username is admin.
POST /login HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Content-Length: 27 username[$ne]=admin&password[$regex]=.{5}
Below shown is the simple authentication bypass scenario in which the application is vulnerable to NoSQL injection.
The username is admin, and instead of a password, we are sending JSON object with $ne operator. $ne will return true since the password value is not null.
POST /login HTTP/1.1 Host: target.com Content-Type: application/json Content-Length: 38 {"username":"admin", "password": {"$ne": null}}
In the backend $where the operator is used, injecting JavaScript code having infinite while loop as a user-supplied data will result in total CPU power consumption.
For more payloads for exploitation of NoSQL injection vulnerability, do check out this link.
NoSQLMap is an open-source python tool designed for auditing and automating injection attacks. However, there is a default configuration weakness in NoSQL databases and web applications that can be exploited. This procedure is carried out by using NoSQL to clone data or disclose it from the database.
For the demo purpose, we will be making use of the OWASP juice shop application. In this application, after the authentication, the user is allowed to submit a review for a product. Once the review is submitted, a user only has permission to edit his review, not the other reviews given by other users in the application. For example, in this application, the user has the email id test@nulltest.com.
POC: User submits a review
POC: Edit submitted a review and intercept the request
POC: Intercept the edit request
POC: Added NoSQL injection payload in the id parameter
POC: All the submitted reviews changed to attacker-supplied review text
Attackers can now not only extract the data from the database but also execute code in the application. For example, perform denial of service attacks or even take control of the user’s system or server. These attacks are pretty dangerous as the developers often use NoSQL data stores for relational database products, increasing the risk of insecure codes. Therefore, the most optimum way to reduce the dangers of NoSQL attacks is to avoid using uncertain user inputs in the application code.
Author,
Gaurish Kauthankar
Attack & PenTest Team
Varutra Consulting Pvt. Ltd.
Introduction In the era of digitalization, data security has become a paramount concern. Every day,…
I.Introduction Bluetooth has become an integral technology for billions of smartphones, computers, wearables, and other…
I. Introduction In today's ever-evolving cybersecurity landscape, staying ahead of adversaries has become a challenge.…
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…