Course Content

NoSQL Injection: Blind Injection Fundamentals

Table Of Contents

Talk Scope

  1. Exercise: Learn about Blind Injection and leverage it to find vulnerable server-side logic
  2. Exercise: Use logical operators to dump all documents within a MongoDb collection
  3. Exercise: Learn how attackers leverage client-side code to find vulnerable server-side routing functionality

Recap: What is NoSQL Injection (NoSQLi)?

  • Introduced when developers create dynamic database queries that include user supplied input (untrusted input)
  • What unexpected input types could we receive?
    • Binary
    • Query Object
      • $where Query Operator
    • Others

$where: Query Operator

Exercise: $Where Whitelisted Functions

// Available Functions
assert()     Map()         BinData()    MD5()
DBRef()      NumberLong()  emit()       print()
gc()         printjson()   HexData()    printjsononeline()
hex_md5()    sleep()       isNumber()   Timestamp()
isObject()   tojson()      ISODate()    tojsononeline()
isString()   tojsonObject() UUID()      version()
DBPointer()  NumberInt()

Exercise: $Where Whitelisted Functions (Answer)

  • sleep(ms)
    • Suspends an execution context for a specified number of ms
  • Ex: Intended usage
    • Slowing down bulk insertion to minimize resource footprint
  • Ex: Unintended usage
    • Invoke hundreds of sleep() requests
    • Mass inject sleep() and observe response times
      • Blind Injection: Dont need to observe the response body
        • If route is vulnerable, dig deeper

Exercise: Crafting The Payload (Setup)

Exercise: Crafting The Payload (Setup) CONT.

  • Go to localhost:3000 in the browser and find dist/juice-shop.min.js
  • Search for factory("ProductReviewService"

Exercise: Crafting The Payload (Question)

  • Given the routes defined in the ProductReviewService, execute a request that makes the server "sleep"
  • Hint
    • return o.get(r + "/" + e + "/reviews").then(function(e) {
    • What does the e tell us about the server-side logic?
    • Answer
      • The server is accepting input from the user

Exercise: Crafting The Payload (Answer)

  • http://localhost:3000/rest/product/sleep(2000)/reviews
    • Attacker would automate this
    • If the response was lagged by 2 seconds, the attacker knows that the route is vulnerable to $where injection
      • Lets go deeper into $where

Exercise: "Unguessable" Identifiers (Question)

  • Ideas/facts that will help with the assignment
  • Assignment
    • http://localhost:3000/rest/product/inject_me/reviews
    • Inject inject_me to retrieve all product reviews

Exercise: "Unguessable" Identifiers (Hint)

  • Hint
    • Leverage Javascript logical operators to force a always true condition

Exercise: "Unguessable" Identifiers (Answer)

  • http://localhost:3000/rest/product/1||true/reviews

Takeaways

  • Attackers already know a lot about your private server-side code through the public client-side code
  • When possible, never whitelist any characters that can be leveraged to create a logical operator
    • |, &, etc.
Discussion

0 comments