NoSQL Injection
Introduction
NoSQL, short for not only SQL, refers to databases that store data in non-tabular formats, unlike traditional relational databases. These databases offer flexible schema models that support various types of unstructured data, such as documents, key-value pairs, and graphs.
Organizations opt for NoSQL databases for their scalability, flexibility, and suitability for handling large volumes of data that don’t fit into a relational model. Examples of NoSQL databases include MongoDB, CouchDB, and DynamoDB.
How NoSQL Injection Works?
Let’s examine a brief demonstration illustrating how a NoSQL Injection attack operates and what actions the exploit takes to break the query sent to the backend. The demonstration will be based on a PortSwigger Academy lab.
1. Detecting NoSQL Injection
Firstly, to detect NoSQL injection we must identify the parameter or the sink where we can pass data. Let's examine how the website functions.
When we browse through the web application a api endpoint is hit, and as its response the data related to the user is fetched.
When we send the value administrator, the server responds with details of the administrator’s account. This is a flaw in itself, as we could easily enumerate user details through their name. However, for this demo, let’s focus on NoSQL injection by chaining this enumeration process to obtain the admin’s credentials. So, let’s try to break the query by injecting a ‘ after the value of name parameter, which is wiener.
Here, an error message is sent, but the response code is 200. This may be a potential injection point in the application. Since this lab is based on MongoDB we will be trying to inject query based on MondoDB. However, to test a real-world application, we need to experiment with various payloads related to NoSQL Databases. So, Let’s test few MongoDB query.
A few easy and popular queries to test for are $ne and $gt, and such operators. Let’s test some operators to create a boolean condition: if the condition is true, the server responds; if it’s false, it gives says user not found.
Injection Payload: ‘ && this.password %00
Here, once we enter the payload, it simply validates whether the user is an administrator and if it contains a password. Obviously, this returns true, hence the request is processed, and the response with the administrator details is returned. The %00 is included to indicate a null byte so that the server interprets that the request/query has ended. Now, let’s check for false statement.
Injection Payload: ‘ && this.password=='' %00
Here, the query is checking if the password for the administrator account is null, which is false hence the server responed with Could not find user message.
This validates that the application is vulnerable to NoSQL Injection. NOw let’s raise the impact of this bug to enumerate the administrator password.
2. Exploiting NoSQL Injection
Now, using these Boolean statement lets enumerate or gather the characters of administrator’s password. Firstly, let’s check how long the password is, by incrementally entering the password length over each request.
Payload: ‘ && this.password.length=='8' %00
The password, with a length of 8, was detected. Now let’s iterate through each character of the password and check what it is. For this lab, the password contains all alphabets. So, let’s fuzz the characters by running them from ‘a’ to ‘z’ and iterating through all 7 indexes of the password length.
Payload: ‘ && this.password[$0$]=='$a$' %00
We can perform the fuzzing using burp’s intruder feature, where the first payload contains 0–7 index positions and the second payload iterates though alphabets a-z . Let’s select the attack type to cluster bomb and start the attack.
Now, let’s filter the ones with different content length and lastly, rearrange in accordance with the payload. Here, the password of zzcoalgb was identified. Hence the administrator account is pwned.
Remedies
- Implement Secure libraries and Frameworks.
- Implementing ORM Frameworks.
- Regularly Updating dependencies.
In this blog we discussed about the basics of NoSQL Injection.
