Course Content
NoSQL Injection: Blind Injection Fundamentals
Table Of Contents
- NoSQL Injection: MongoDb Query Object Injection
- Talk Scope
- Recap: What is NoSQL Injection (NoSQLi)?
- Query Objects
- Exercise: Evaluating Injection Risks
- Example: Query Object Injection
- Query Operator Attack Vector
- Query Operators
- Exercise Overview
- Exercise Setup
- Exercise Assignment
- Solution: Find Patch Data
- Solution: Construct Payload
- Solution: Find API endpoint URL
- Solution: Construct cURL command
- Takeaways
Talk Scope
- Exercise: Learn about Blind Injection and leverage it to find vulnerable server-side logic
- Exercise: Use logical operators to dump all documents within a MongoDb collection
- Exercise: Learn how attackers leverage client-side code to find vulnerable server-side routing functionality
Recap: What is NoSQL Injection (NoSQLi)?
- Introduced when developers create dynamic database queries that include user supplied input (untrusted input)
- What unexpected input types could we receive?
- Binary
- Query Object
$where
Query Operator
- Others
$where: Query Operator
- Query Operators
$where
Matches documents that satisfy a JavaScript expression
- JavaScript expression is invoked for each document in the accounts collection
- Current document is referenced by
this
- Current document is referenced by
- Whitelists certain Javascript functions
Exercise: $Where Whitelisted Functions
// Available Functions
assert() Map() BinData() MD5()
DBRef() NumberLong() emit() print()
gc() printjson() HexData() printjsononeline()
hex_md5() sleep() isNumber() Timestamp()
isObject() tojson() ISODate() tojsononeline()
isString() tojsonObject() UUID() version()
DBPointer() NumberInt()
- Thought exercise
After the attacker injects
requestInput
, they have no way to view the responseIf injected via
requestInput
, which function could have the largest negative consequence?
Exercise: $Where Whitelisted Functions (Answer)
sleep(ms)
- Suspends an execution context for a specified number of
ms
- Suspends an execution context for a specified number of
- Ex: Intended usage
- Slowing down bulk insertion to minimize resource footprint
- Ex: Unintended usage
- Invoke hundreds of
sleep()
requests - Mass inject
sleep()
and observe response times- Blind Injection: Dont need to observe the response body
- If route is vulnerable, dig deeper
- Blind Injection: Dont need to observe the response body
- Invoke hundreds of
Exercise: Crafting The Payload (Setup)
docker run -p 3000:3000 securingthestack/juice-shop:nosqli-blind-injection
- Extension from https://sts.tools/nosqli-query-object-injection
Exercise: Crafting The Payload (Setup) CONT.
- Go to
localhost:3000
in the browser and finddist/juice-shop.min.js
- Search for
factory("ProductReviewService"
Exercise: Crafting The Payload (Question)
- Given the routes defined in the
ProductReviewService
, execute a request that makes the server "sleep" - Hint
return o.get(r + "/" + e + "/reviews").then(function(e) {
- What does the
e
tell us about the server-side logic? - Answer
- The server is accepting input from the user
Exercise: Crafting The Payload (Answer)
http://localhost:3000/rest/product/sleep(2000)/reviews
- Attacker would automate this
- If the response was lagged by 2 seconds, the attacker knows that the route is vulnerable to
$where
injection- Lets go deeper into
$where
…
- Lets go deeper into
Exercise: "Unguessable" Identifiers (Question)
- Ideas/facts that will help with the assignment
- Bank Statement:
https://example.bank.com/statements/RandomNum
- How can all random numbers be divulged?
$where
is finding a condition that'strue
$where
accepts Javascript syntax (logic operators)
- Bank Statement:
- Assignment
http://localhost:3000/rest/product/inject_me/reviews
- Inject
inject_me
to retrieve all product reviews
Exercise: "Unguessable" Identifiers (Hint)
- Hint
- Leverage Javascript logical operators to force a always true condition
Exercise: "Unguessable" Identifiers (Answer)
http://localhost:3000/rest/product/1||true/reviews
Takeaways
- Attackers already know a lot about your private server-side code through the public client-side code
- When possible, never whitelist any characters that can be leveraged to create a logical operator
|
,&
, etc.
0 comments