Course Content
NoSQL Injection: WAF Evasion Fundamentals
Talk Scope
- Exercise: Evaluate WAF attack vectors by looking at a Modsecurity WAF Rule
- Exercise: Deduce backend logic through URL structure to bypass potential WAF rules and dump all documents within a MongoDb collection
- Extension of NoSqi Series
WAF (Web Application Firewall) Review
- A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules – Wikipedia
- WAF Ex: Modsecurity
- ModSecurity is an open source, WAF engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. – ModSecurity Github
- OWASP ModSecurity Core Rule Set (CRS)
- Rules that can be loaded into ModSecurity
- The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. – CRS Github
Exercise: Bypassing WAF Rules (Question)
- Review https://sts.tools/nosqli-blind-injection-fundamentals
- http://localhost:3000/rest/product/1||true/reviews
- Leveraged a logical operator to force an "always true" condition
- Logical operators are often blocked by WAFs (Ex:
||
,&&
, etc.)Ex: Owasp Modsecurity SQLi Rule that blocks:
' || 1=1# ' && 1=1# ' /*!||*/ 1=1# ' /*!&&*/ 1=1#
- Given the above rule, how should an attacker try to fetch all documents within a MongoDb collection?
Exercise: Bypassing WAF Rules (Answer)
- They should target functionality that is unique to the victim application
- No generic rule that will block it
http://localhost:3000/rest/product/1||true/reviews
- Replace
1||true
with a value that's unique to Juice Shop - Main tutorial assignment
- First we must do a few thought exercises
- Replace
Exercise: Deducing Backend Logic (Question)
http://localhost:3000/rest/product/INJECT_ME/reviews
- Different values of
INJECT_ME
create different responses1
or1||true
docker run -p 3000:3000 securingthestack/juice-shop:nosqli-waf-evasion-fundamentals
- Q: Given this, what action is the backend doing with the user's input?
Exercise: Deducing Backend Logic (Answer)
USER_INPUT
is being compared to someUNKNOWN_VALUE
- If an attacker finds
UNKNOWN_VALUE
, they can force an always true condition while evading the WAF- Backend assumption:
USER_INPUT
==UNKNOWN_VALUE
- Q: Why is
==
a valid assumption? Why not>
, etc. (Hint: Substitute a few integer values inINJECT_ME
)http://localhost:3000/rest/product/INJECT_ME/reviews
- A: Given the 1 object response, the backend logic is probably making an
==
comparison
- Q: Why is
- Backend assumption:
Exercise: Finding the UNKNOWN_VALUE
object (Question)
- In the last tutorial, the following injection worked…
http://localhost:3000/rest/product/sleep(2000)/reviews
- Q: What did this tell us about where
sleep(2000)
was being evaluated?http://localhost:3000/rest/product/INJECT_ME/reviews
- A:
INJECT_ME
is being evaluated within a Javascript expression that's passed into$where
- Attacker Goal: Find
UNKNOWN_VALUE
, so they can force an always true conditionUSER_INPUT
==UNKNOWN_VALUE
- Given the
$where
context, what object isUNKNOWN_VALUE
?
Exercise: Finding the UNKNOWN_VALUE
object (Answer)
this
orobj
$where
iterates over all documents within a MongoDb collection- The current document is assigned to
this
this.address
- Properties of the document can then be referenced
- Ex: http://localhost:3000/rest/product/this/reviews
- Doesn't work
- The backend logic is probably leveraging a property of
this
in the comparison
Exercise: Finding this.UNKNOWN_VALUE
(Question)
http://localhost:3000/rest/product/INJECT_ME/reviews
- Given the backend logic is probably comparing
INJECT_ME
tothis.UNKNOWN_PROPERTY
- Leverage the URL to deduce the database schema and find
UNKNOWN_PROPERTY
Exercise: Finding this.UNKNOWN_VALUE
(Answer)
http://localhost:3000/rest/product/INJECT_ME/reviews
- A:
http://localhost:3000/rest/product/this.product/reviews
- This could dump sensitive information
- Imagine
INJECT_ME
is a random number that's given to each client
Backend Code
Takeaways
- You cant rely on WAFs for protection
- Attackers will find unique identifiers within your application to bypass generic WAF rules
this.product
- Attackers will find unique identifiers within your application to bypass generic WAF rules
- When developing an application, think about what information are you exposing through public information
- An attacker views EVERYTHING as an information source
- URL structure
- Version numbers
- Job postings
- Everything is being leveraged against you
- An attacker views EVERYTHING as an information source
0 comments