Course Body

Environment Setup/Error Reporting: https://sts.tools/setup

NoSQLi: From Beginner To BSON Injection

Table Of Contents

Talk Scope

  1. What is NoSQL injection (NoSQLi)?
  2. How does NoSQLi compare to SQLi?
  3. Evaluate MongoDb's claim that "traditional SQL injection attacks are not a problem" in MongoDb
  4. Evaluate how MongoDb can be exploited through BSON injection
  5. Understand the execution contexts that queries are evaluated in (and how they can be exploited)

What is NoSQL Injection (NoSQLi)?

  • Introduced when developers create dynamic database queries that include user supplied input
    • Untrusted input
    • Can contain the typical types: strings (code), ints (numbers), etc.
      • NoSQLi can also contain query objects
  • noSQLi MongoDB examples

SQL Injection: Foundational Thinking

SQL Vs NoSQL Injection (CONT.)

SQL Vs NoSQL Injection (CONT.)

  • username_value is scoped to username
    • Is this injectable?
    • Mongo has a statement on this

Mongos NoSQLi Response

  • MongoDB represents queries as BSON objects (Binary JSON)

  • "Typically client libraries provide a convenient, injection free, process to build these objects. Consider the following C++ example:"

    // db.accounts.find({username: username_value});
BSONObj my_query = BSON( "username" << username_value );
auto_ptr<DBClientCursor> cursor = c.query("accounts", my_query);
  • "As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks are not a problem"
    • client program = client library

Mongos NoSQLi Response (CONT)

  • // db.accounts.find({username: username_value});
BSONObj my_query = BSON( "username" << username_value );
auto_ptr<DBClientCursor> cursor = c.query("accounts", my_query);
  • "If my_query contained special characters, for example ,, :, and {, the query wouldn’t match any documents. For example, users cannot hijack a query and convert it to a delete."
    • let username_value = "admin' -- "
      • Special characters were used to alter the meaning of the SQL query

Mongos NoSQLi Response (CONT)

  • db.accounts.find({username: username_value, password: password_value});
  • Mongo's statement about the lack of injection vulnerabilities assumes the input will be passed in a certain way
    • What is the input assumption?
      • String

BSON Injection

  • How could a string potentially exploit this BSON object?
    • Insert a BSON special character/delimiter: 0x00
      • Similar idea to the ' within '${username_value}'
    • Insert BSON directly
      • Nested BSON object
    • Insert hex/binary directly
    • Insert garbage that isn't BSON and cause a DoS

BSON-RUBY Injection: Background

  • BSON-Ruby Background
    • Mongoid is an Ruby ODM (Object-Document-Mapper) for MongoDB
      • Leveraged a lower-level adapter called Moped
        • Moped leveraged the BSON-Ruby library
  • Ruby Regex Background
    • \A and \z match the start and end of the string
    • ^ and $ match the start/end of a line
      • $ matches a /n
        • Other languages this matches the end of a string
  • Issue in the wild with bson-ruby

BSON-RUBY Injection (CONT)

Takeaways

  • Contrary to what organizations say, injection is always a risk when you take into account all contexts that a query is evaluated in
  • Next module: "Hands On" NoSQLi exercise where you inject a query object
Complete and Continue  
Discussion

0 comments