crAPI: NoSQL Injection

‍

Amit Dubey

July 15 2022 · 2 min read

‍

Welcome back, everyone! In this blog, we will learn about OWASP API:08, NoSQL Injection. Unlike SQL (Structured Query Language), NoSQL (Not Only SQL) is a distributed, non-relational database built for large-scale data storage and performance across several platforms. The NoSQL database was created as an open-source project with an enterprise option. Document databases, key-value pairs, wide-column stores, and graph databases are the four primary kinds of NoSQL databases that have evolved throughout time.
We will go over an example to demonstrate how data can be retrieved from a MongoDB database.

Example 1:
For a key-value pair in MongoDB, we need to use the query below to find the price greater than $20.

The Attack

Poor sanitization and validation of user-supplied data typically lead to NoSQL attacks. In this scenario, the attacker produces input strings in such a manner that when the target application constructs NoSQL statements based on the input, the resulting NoSQL statement performs actions that were not intended by the application to be executed. Unlike SQL Injection, NoSQL Injection attacks can take place even when the application does not depend on user input. One example of this would be operator replacements. In order for the attacker to do this, reserved NoSQL variable names need to be replaced (for example, $where in MongoDB). Depending on the NoSQL API and data model, a successful injection can leak information, manipulate data, and execute code at the application level.
crAPI is a vehicle management application that allows customers to purchase spare parts for their vehicles. Users can also use coupon codes to save money on the products they wish to buy. However, the coupon codes are limited and are not known by the attacker. Furthermore, crAPI manages its coupon collection using MongoDB; however, the input for adding coupons is not properly validated. This causes a NoSQL injection, allowing the attacker to collect several coupons and use them to purchase the products at a discounted price.

1. Authenticate to the application as a user and Navigate to the Shop page of the application.

2. Now click on “+ Add Coupons”

3. Note that the application doesn’t allow using random codes.

4. Capture the request using a proxy tool such as (ZAP or Burp) and observe the response results in a 500 status code.

5. Now try injecting $ne (not equal) query with null as a value and observe that we successfully received a coupon code.

6. Inject the coupon code we received instead of null, then observe the server response for another coupon code.

7. Using all the coupons code received, an attacker was able to get multiple discounts.

Remediation:

1. All user-controlled input must be checked for invalid characters. NoSQL-specific keywords, such as $ne, $eq or $gt for MongoDB, must be filtered in addition to single-quotes(‘) and semicolons (;).
2. Instead of string queries, use safe APIs (PyMongo and Flask-PyMongo for Python and MongoDB).
3. The application should use the latest NoSQL database and API.
4. Apply Least Privilege to application accounts to limit NoSQL injection impact.
5. If using PHP with MongoDB, use single quotes to avoid operator replacement attacks.
6. Disable server-side JavaScript execution in MongoDB and use mongo-sanitize.

References:

1. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection
2. https://book.hacktricks.xyz/pentesting-web/nosql-injection
3. https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection (wordlist)
4. https://github.com/codingo/NoSQLMap (tool)

GOOD NEWS! We’ve got you covered. Levo has already detected several NoSQL Injection attacks. Sign up for free and give it a go.

In our next blog post, we will learn about various Excessive Data Exposure issues in crAPI. Stay Tuned.

Best Regards,
Amit

‍