x

NoSQLi

NoSQL Injection attacks are carried out by injecting malicious data into NoSQL databases.

Fundamental flaws in NoSQL DBs
Some common fundamental security flaws in NoSQL databases include:

  • Weak Authentication: Inadequate processes for verifying user identities.
  • Insufficient Input Validation: Failure to properly validate and filter user inputs.
  • Lack of Security Configurations: Database configurations that do not meet security requirements.

Security Mechanisms in NoSQL DBs
NoSQL databases incorporate various security mechanisms to minimize security vulnerabilities.

  • Authentication and Authorization: Verifying user identities and controlling access rights.
  • Input Validation and Filtering: Verifying user inputs and filtering out malicious entries.
  • Encryption: Encrypting data both in storage and in transit.
  • Security Audits: Conducting regular security audits and addressing vulnerabilities.

How NoSQLi Works
Usually occurs when user inputs aren't validated or filtered.

Types of NoSQL Injection and Techniques

String Manipulation
Inject malicious strings into the DB when user inputs aren't validated. 

// Vulnerable query
db.users.find({ "username": "admin", "password": "password123" });

// Query manipulated with malicious input
db.users.find({ "username": "admin' || '1'=='1", "password": "password123" });

Attacker may enter admin' || '1'=='1 in the 'username' field. This would transform the MongoDB query to include '1'=='1, always true and potentially returning all user records.

Boolean Manipulation
Executed by altering boolean values in NoSQL queries.

NoSQLi using boolean manipulation in MongoDB 

// Vulnerable query
db.users.find({ "username": "admin", "password": "password123" });

// Query manipulated with malicious input
db.users.find({ "username": "admin", "password": { "$ne": null } });

Attacker inputs { "$ne": null } in the "password" field. Input transforms MongoDB query to "password": { "$ne": null } (always evaluates true), potentially return all user recs.

Object Manipulation
Carried out by manipulating object values in NoSQL queries. Especially common in doc-oriented DBs like MongoDB. 

// Vulnerable query
db.users.find({ "username": "admin", "password": "password123" });

// Query manipulated with malicious input
db.users.find({ "username": { "$gt": "" } });

Attacker may enter { "$gt": "" } in the "username" field. Transforms query into "username": { "$gt": "" }.

Array Manipulation
Performed by altering array values in NoSQL queries. Prevalent in doc-oriented DBs.
NoSQLi injection using array manipulation in MongoDB. 

// Vulnerable query
db.users.find({ "roles": "admin" });

// Query manipulated with malicious input
db.users.find({ "roles": { "$in": ["admin", "user"] } });

Attacker may enter { "$in": ["admin", "user"] } in the 'roles' field. Input would transform MongoDB query to "roles": { "$in": ["admin", "user"] }.

Time-Based NoSQLi
A type of attack where attackers manipulate the database's behavior using time delays to extract sensitive information from the database.

Method to leak data or obtain system information by analysing response time of the DB. 

// Vulnerable query
db.users.find({ "username": username, "password": password });

Check the username and password with this query 

// Malicious input
username = "admin";
password = { "$where": "sleep(1000) || this.password == 'password123'" };

// Manipulated query
db.users.find({ "username": "admin", "password": { "$where": "sleep(1000) || this.password == 'password123'" } });

For this, the $where operator has been injected into the password field. This operator adds a 1000 millisecond (1 second) delay while checking the pw field is password123. Use this method to infer information about the password.

Preventing NoSQLi
Input Validation and Filtering
Validating and filtering user inputs is one of the fundamental methods to protect against NoSQL Injection attacks.

  • Use of Whitelisting: Accept user inputs only if they match allowed characters and formats.
  • Escaping Special Characters: Replace or completely filter special characters that can be used in NoSQL queries.
  • Using Regex: Check if the input data conforms to a specific regular expression (regex).

Input validation and filtering

Insecure query 

db.users.find({ "username": username, "password": password });

Secure query with input validation and filtering 

const sanitizedUsername = sanitizeInput(username);
const sanitizedPassword = sanitizeInput(password);

db.users.find({ "username": sanitizedUsername, "password": sanitizedPassword });

function sanitizeInput(input) {
  return input.replace(/[\$&\*\+\=\!\?]/g, "");
}

Parameterised queries
Parameterized queries are those where user inputs are not directly included in the query and are processed securely.

Unsecure 

db.users.find({ "username": username, "password": password });

Secure parameterised 

db.users.find({ "username": ":username", "password": ":password" }, { "username": username, "password": password });

Proper use of ORM and DB libraries
Object-Relational Mapping (ORM) and database libraries allow secure interactions with NoSQL databases.

  • Use of ORM: ORM tools ensure that queries are created and executed securely.
  • Library Updates: Use up-to-date and secure versions of your ORM and database libraries.

Unsecure 

db.users.find({ "username": username, "password": password });

Secure query using ORM 

User.findOne({ username: username, password: password }).exec();
Left-click: follow link, Right-click: select node, Scroll: zoom
x