This article takes you through an example of an application vulnerable to injection supported by a NoSQL database (MongoDB). In common parlance, a weakness where user input can cause an injection in a NoSQL query to a backend document database, is called NoSQL Injection. We will see what the structure of a NoSQL query looks like and see how we can attack and exfiltrate data.
INTRODUCTION
NoSQL based DBs are everywhere, and a lot of developers are using this over standard RDBMS. Flexibility, Scalability, Ease of use when dealing with semi-structured and unstructured data increases the popularity of NoSQL DB.
The fact that the NoSQL database managers don’t use SQL doesn’t mean that they are free from injection risk. NoSQL injection is like SQL injection as it arises when user input is mixed with query statements on the server, except it targets different technologies such as MongoDB, Redis, Memcached, CouchDB and many more.
How is NoSQL Injection different than standard SQL injection?
The primary difference between SQL and NoSQL injection is the grammar and syntax of thequery. The underlying language used to query RDMS systems and NoSQL databases is very different. Hence, completely altering how the injection is interpreted and what user provided characters will break the query.
NoSQL database calls are written in the applications programming language, a custom API call,or formatted according to a common convention (such as XML, JSON, LINQ, etc).Malicious input targeting those specifications may not trigger the primarily application sanitization checks. For example, filtering out common HTML special characters such as ***< > & ; ***will not prevent attacks against a JSONAPI, where special characters include / { } :
NoSQL injection attacks may execute in different areas of an application than traditional SQL injection. Where SQL injection would execute within the database engine, NoSQL variants may execute within the application layer or the database layer,depending on the NoSQL API used and data model. Typically, NoSQL injection attacks will execute where the attack string is parsed, evaluated, or concatenated into a NoSQL API call.
MongoDB,currently one of the most popular NoSQL database products, stores data as documents using a syntax similar to JSON (JavaScript Object Notation). Among other benefits, this allows developers to build full-stack applications using only JavaScript into a web application backed by a NoSQL database.
Let’s see an example that show show a SQL and a NoSQL query are different for the same functionality.
Typical SQL query for login
- SELECT * FROM users WHERE user = ‘$username’ AND pass = ‘$password’
Equivalent command in MongoDB
- db.users.find({user: username, pass: password});
As you can see from the code above, we are querying the “users” collection and returning the row which contains the specified username and password.
Injection into MongoDB backed apps
** **Now that we have seen a simple query for selecting a user using the username and password, wecan look at the other operators in MongoDB that could allow us to manipulate the query.
