Coders Conquer Security: Share & Learn Series - NoSQL Injection20th December 2018
NoSQL databases are becoming more and more popular. It’s hard to deny their speed and ease of dealing with unstructured data, especially with dev teams working to increasingly agile methodologies.
It takes time for developers to shake out vulnerabilities and other challenges in emerging technology. Only after it has been in use for some time in production applications do problems begin to bubble to the surface.
NoSQL databases are similar. There are key risks developers should be aware of so they can keep their applications safe. One such risk is NoSQL injection.
Let’s take a look at what NoSQL injection is, what damage it can cause, and how to fix it:
Understand NoSQL Injection
NoSQL injection is caused by many of the same injection vulnerabilities such as XML or SQL injection.
NoSQL injection allows attackers to place arbitrary commands into a NoSQL query. This allows them to steal data and even make changes to the database if their privileges are high enough.
When an application places user-controlled data directly into a NoSQL query expression, these expressions often take functions or have built-in operators that can be manipulated to steal or change data. And when such a thing is executed with malicious intent, the consequences can be dire.
MongoDB databases are one of the most popular playgrounds to exploit with this vulnerability. ‘$ne: ""’ is the operator equivalent to 1=1 in the SQL world, so, by way of example, an attacker could place the characters ‘$ne: “”’ into the username and password fields of a UI. If the code is vulnerable to NoSQL injection, the database will search for all records where the username and password do not equal an empty string. In other words: all of them. Yikes.
If this database is unencrypted, then the attacker could steal the usernames and passwords of every single user within it. This includes administrator username and passwords, giving them an all-access pass to the entire database.
Attackers often try to pass-in values that are always true. Another common attack is to inject malicious code into properties that are set to functions.
For example, MongoDB uses a find function that takes an object with a property called $where. The $where property is set to a function that should evaluate to true or false. If this function is changed in any way by user input, a NoSQL injection likely lurks there.
For a nicely detailed look at the intricacies of NoSQL injection, check out this InfoQ article.
Know Why NoSQL Injection is Dangerous
NoSQL injection is dangerous mostly because it hasn’t yet received the scrutiny from the security community it deserves.
The impacts of NoSQL injection are much the same as with traditional SQL injection. Data can be stolen or changed, accounts can be compromised by stealing data and, perhaps most viciously, data could be completely wiped out if a delete command is successfully issued.
The bottom line is that MongoDB and other NoSQL database engines are vulnerable to attack. “No SQL” doesn’t mean no injections.
Thankfully, some in the community are taking note and putting the word out. More developers need to educate themselves so they can protect their apps from little-known nasties that can become a huge headache if exploited.
Defeat NoSQL Injection
NoSQL injection can be difficult to defeat. Unfortunately, there isn’t the option of parameterized queries as there is with SQL injection. However, it’s not impossible. There are a few options to help you out:
- Fuzzers can be used as one method to detect vulnerabilities. Although, as is the case with many things in life, the simplest approach can be the most effective. Here, good old code review is your strongest ally.
- When reviewing code, look for possible places where user input could set the value of an expression or change a function. Don’t allow user input to change your queries.
- Be sure to cast user input to its rightful class. If it's a number, cast it to a number, if it's a string, cast to a string and so on.
- Never use $where or similar eval functions along with user input. In most cases, you can work around it by changing the data model or schema.
- Try using Mongoose as your MongoDB driver. Mongoose allows you to define a schema for your NoSQL database. If you tell Mongoose that your inputs are strings, they will be cast to strings. So, any objects passed in by an attacker will not be treated as objects, but as strings.
- Harden your DB! Create low-privilege user accounts, maximize execution time for queries, and always follow the security best practices that apply to your organization.
A disadvantage of NoSQL databases’ ease of use is the tendency of developers to stand them up and start using them with no thought about security.
It’s essential that you take the time to learn how to securely stand up a NoSQL database and protect yourself from NoSQL injections.
For instance, MongoDB Enterprise Edition has advanced access control capabilities for your documents. Enforcing ‘least privilege’ can be a good Defense in Depth (DiD) strategy in case someone were to find a vulnerability in your application.
To sum up, here’s what we have:
- Sanitize your input before using it in a NoSQL query expression
- Use drivers that help you out, like Mongoose
- Perform code reviews that look specifically at how input data is used within queries
- Use fuzzers and scanners to try to help find vulnerabilities in your code.
NoSQL is not No Injections
NoSQL databases are quickly gaining popularity due to their scalable features and speed of setup. The newness of the technology can lead developers to use NoSQL databases without thinking of how to secure them.
NoSQL databases can be just as vulnerable as SQL databases to injection attacks, so act with caution and pay attention to your queries. If you want to learn more, check out our Learning Resources or test your skills with our free demo.
Prepare yourself ahead of time and you won’t need to worry about NoSQL injections in your applications. Too easy!
Think you're ready to locate, identify and fix NoSQL injection right now? Enter the secure code arena, warrior:
And that's a wrap for 2018! This will be our final post for the year, but we'll be back with the next Coders Conquer Security guide on January 10th, 2019. See you soon!