Dark Mode
Capec-676 Detail
NoSQL Injection
Standard Software Likelihood: High Typical Severity: High
Parents: 248
Threats: T290 T298 T299 T300 T303 T312
Tools: 8
An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.
NoSQL database calls are written in an application's programming language, via a custom API call, or formatted in a common convention (e.g., JSON, XML, etc.), any of which the adversary can exploit to achieve the aforementioned goals. NoSQL attacks usually result from improper sanitization and validation of data that originates from a user, either via special character or JavaScript injection. In both cases, the adversary crafts input strings so that when the target software constructs NoSQL statements based on the input, the resulting NoSQL statement performs actions other than those intended by the application. However, unlike traditional SQL Injection attacks, NoSQL injection attacks can also occur in instances where the application does not rely upon user input, as is the case in operator replacements. This entails the adversary overriding reserved NoSQL variable names with ones that have been modified with malicious functionality (e.g., $where in MongoDB). In all cases, depending on the NoSQL API and data model used, successful injection can cause information disclosure, data modification, and code execution at the application level. Note: NoSQL Injection attacks are executed within a procedural language (e.g., C, C++, Perl), as opposed to the declarative SQL language itself. As a result, NoSQL injection attacks can potentially result in greater impacts than traditional SQL Injection attacks [REF-668].
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-676 | capec | https://capec.mitre.org/data/definitions/676.html | |
| CWE-943 | cwe | http://cwe.mitre.org/data/definitions/943.html | |
| CWE-1286 | cwe | http://cwe.mitre.org/data/definitions/1286.html | |
| REF-668 | reference_from_CAPEC | https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection | Testing for NoSQL Injection, The OWASP Foundation |
| REF-669 | reference_from_CAPEC | https://nullsweep.com/nosql-injection-cheatsheet/ | Charlie Belmer, NoSql Injection Cheatsheet, 2021--06---07, Null Sweep |
| REF-670 | reference_from_CAPEC | https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf | Patrick Spiegel, NoSql Injection: Fun with Objects and Arrays, The OWASP Foundation |
| REF-671 | reference_from_CAPEC | https://www.theweborion.com/wp-content/uploads/2019/06/NoSQL-Injection-Attacks-and-Prevention-Techniques.pdf | NoSql Injection: Fun with Objects and ArraysNoSQL Injection Attacks and Prevention Techniques, 2019--06, WebOrion |
Explore
-
Survey target application: Due to the number of NoSQL databases available and the numerous language/API combinations of each, the adversary must first survey the target application to learn what technologies are being leveraged and how they interact with user-driven data.
| Techniques |
|---|
| Determine the technology stack leveraged by the target application, such as the application server, drivers, frameworks, APIs, and databases being utilized. |
| Identify areas of the application that interact with user input and may be involved with NoSQL queries. |
Experiment
-
Identify user-controllable input susceptible to injection: After identifying the technology stack being used and where user-driven input is leveraged, determine the user-controllable input susceptible to injection such as authentication or search forms. For each user-controllable input that the adversary suspects is vulnerable to NoSQL injection, attempt to inject characters or keywords that have special meaning in the given NoSQL database or language (e.g., "$ne" for MongoDB or "$exists" for PHP/MongoDB), or JavaScript that can be executed within the application. The goal is to create a NoSQL query with an invalid syntax.
-
Experiment with NoSQL Injection vulnerabilities: After determining that a given input is vulnerable to NoSQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, modify/delete information in the database, or execute commands on the server.
| Techniques |
|---|
| Use web browser to inject input through text fields or through HTTP GET parameters. |
| Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc. |
| Use network-level packet injection tools such as netcat to inject input |
| Use modified client (modified by reverse engineering) to inject input. |
| Techniques |
|---|
| Use public resources such as OWASP's "Testing for NoSQL Injection" [REF-668] or Null Sweep's "NoSQL Injection Cheatsheet" [REF-669] and try different approaches for adding logic to NoSQL queries. |
| Iteratively add logic to the NoSQL query and use detailed error messages from the server to debug the query. |
| Attempt an HTTP Parameter Pollution attack to replace language-specific keywords, such as "where" within PHP [CAPEC-460]. |
Exploit
-
Exploit NoSQL Injection vulnerability: After refining and adding various logic to NoSQL queries, craft and execute the underlying NoSQL query that will be used to attack the target system.
| Techniques |
|---|
| Craft and Execute underlying NoSQL query |
- Awareness of the technology stack being leveraged by the target application.
- NoSQL queries used by the application to store, retrieve, or modify data.
- User-controllable input that is not properly validated by the application as part of NoSQL queries.
- Target potentially susceptible to operator replacement attacks.
- None: No specialized resources are required to execute this type of attack.
| Low | Medium |
|---|---|
| For keyword and JavaScript injection attacks, it is fairly simple for someone with basic NoSQL knowledge to perform NoSQL injection, once the target's technology stack has been determined. | |
| For operator replacement attacks, the adversary must also have knowledge of HTTP Parameter Pollution attacks and how to conduct them. |
| Integrity | Availability | Authorization | Access Control | Confidentiality |
|---|---|---|---|---|
| Modify Data | Execute Unauthorized Commands (Run Arbitrary Code) | Gain Privileges | Gain Privileges | Read Data |
| Execute Unauthorized Commands (Run Arbitrary Code) | Execute Unauthorized Commands (Run Arbitrary Code) | |||
| Gain Privileges |
- The following examples primarily cite MongoDB, PHP, and NodeJS attacks due to their prominence and popularity. However, please note that these attacks are not exclusive to this NoSQL instance, programming language, or runtime framework. Within NodeJS, Login Bypass attacks are possible via MongoDB if user-input is not properly validated and sanitized [REF-670]. //NodeJS with Express.jsdb.collection('users').find({"user": req.query.user,"password": req.query.password}); The above code works fine if the user were to submit a query like the following: https://example.org/login?user=patrick&password;=1234 But an adversary could submit a malicious query such as the below, which would be interpreted by the code as follows: https://example.org/login?user=patrick&password;[$ne]= //NodeJS with Express.jsdb.collection('users').find({"user": bob,"password": {"≠": ""}}); This will result in a Login Bypass attack, as the query will succeed for all values where Bob's password is not an empty string.
- MongoDB instances are also vulnerable to JavaScript Injection Attacks when user input is not properly validated and sanitized. //PHP with MongoDBdb.collection.find({$where: function() {return (this.username == $username) } } ); If the user properly specifies a username, then this code will execute as intended. However, an adversary can inject JavaScript into the "$username" variable to achieve a NoSQL Injection attack as follows: //PHP with MongoDBdb.collection.find({$where: function() {return (this.username == 'foo'; sleep(5000) ) } } ); This will result in the server sleeping for 5 seconds if the attack was successful. An adversary could supply a larger value to deny service to the application.
- If leveraging PHP with MongoDB, operator replacement attacks are possible if special query operators are not properly addressed. The below example from OWASP's "Test for NoSQL Injection" displays a simple case of how this could occur.[REF-668] db.myCollection.find({$where: function() {return obj.credits - obj.debits < 0; } } ); Even though the above query does not depend on any user input, it is vulnerable to a NoSQL injection attack via operator replacement on the "$where" keyword. In this case, the adversary could exploit MongoDB in the following manner: $where: function() { //arbitrary JavaScript here }