Dogan Genc ⚡️
NOSQL Injection

NOSQL Injection


WEB Attack Method noSQL

  NoSQL injection is a vulnerability where an attacker is able to interfere with the queries that an application makes to a NoSQL database. NoSQL injection may enable an attacker to:

  • Bypass authentication or protection mechanisms.
  • Extract or edit data.
  • Cause a denial of service.
  • Execute code on the server.

  NoSQL databases store and retrieve data in a format other than traditional SQL relational tables. They use a wide range of query languages instead of a universal standard like SQL, and have fewer relational constraints.

There are two different types of NoSQL injection:

  • Syntax injection- This occurs when you can break the NoSQL query syntax, enabling you to inject your own payload. The methodology is similar to that used in SQL injection. However, the nature of the attack varies significantly, as NoSQL databases use a range of query languages, types of query syntax, and different data structures.
  • Operator injection - This occurs when you can use NoSQL query operators to manipulate queries

      • Consequences of a Successful noSQL Injection Attack

      • Exposes Sensitive Company Data
      • Compromise Users’ Privacy
      • Give an attacker administrative access to your system
      • Give an Attacker General Access to Your System
      • Compromise the Integrity of Your Data

      EXAMPLE CODE

      Assume a web application stores the users’ credentials on MongoDB and checks upon login if a user with the given username and password exists using an injectable Mongo NoSQL query.

      alt text

      To authenticate, a legitimate user would submit a JSON object containing the credentials

      alt text

      Instead of sending the intended name and password strings, the injection can be performed by sending a JSON object containing MongoDB query operators. alt text

      Iranian Chat App RAYCHAT

        The company was storing its user data on a misconfigured MongoDB database. when misconfigured, NoSQLs can leave millions of documents vulnerable. In this case, a bad actor was able to essentially walk right in Raychat’s front door, then leverage a bot attack, which the company admits destroyed the database.

      alt text

      Prevention

        To avoid NoSQL Injection vulnerabilities, developers need to validate user data by identifying unintended data structure, such as objects and arrays, which can be used to inject NoSQL modifiers that can validate or enforce expected types. Using typed models will convert the user data to the expected type, thus stopping some injections.

        Finally, to mitigate potential damage of NoSQL (or any for that matter) injection attacks, developers and admins must consider the type of access rights afforded to an application. Further, privilege minimization of the operating system account that the database process is running on is good hygiene.
© 2024