Standard attack pattern

Stable

CAPEC-676: NoSQL Injection

An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.

High

Typical severity

Per MITRE

High

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Standard

Abstraction

MITRE classification

Overview

NoSQL database calls are written in an application's programming language, via a custom API call, or formatted in a common convention (e.g., JSON, XML, etc.), any of which the adversary can exploit to achieve the aforementioned goals. NoSQL attacks usually result from improper sanitization and validation of data that originates from a user, either via special character or JavaScript injection. In both cases, the adversary crafts input strings so that when the target software constructs NoSQL statements based on the input, the resulting NoSQL statement performs actions other than those intended by the application. However, unlike traditional SQL Injection attacks, NoSQL injection attacks can also occur in instances where the application does not rely upon user input, as is the case in operator replacements. This entails the adversary overriding reserved NoSQL variable names with ones that have been modified with malicious functionality (e.g., $where in MongoDB). In all cases, depending on the NoSQL API and data model used, successful injection can cause information disclosure, data modification, and code execution at the application level. Note: NoSQL Injection attacks are executed within a procedural language (e.g., C, C++, Perl), as opposed to the declarative SQL language itself. As a result, NoSQL injection attacks can potentially result in greater impacts than traditional SQL Injection attacks [REF-668].

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Survey target application] Due to the number of NoSQL databases available and the numerous language/API combinations of each, the adversary must first survey the target application to learn what technologies are being leveraged and how they interact with user-driven data.
- Determine the technology stack leveraged by the target application, such as the application server, drivers, frameworks, APIs, and databases being utilized.
- Identify areas of the application that interact with user input and may be involved with NoSQL queries.
Step 2
Experiment
[Identify user-controllable input susceptible to injection] After identifying the technology stack being used and where user-driven input is leveraged, determine the user-controllable input susceptible to injection such as authentication or search forms. For each user-controllable input that the adversary suspects is vulnerable to NoSQL injection, attempt to inject characters or keywords that have special meaning in the given NoSQL database or language (e.g., "$ne" for MongoDB or "$exists" for PHP/MongoDB), or JavaScript that can be executed within the application. The goal is to create a NoSQL query with an invalid syntax.
- Use web browser to inject input through text fields or through HTTP GET parameters.
- Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
- Use network-level packet injection tools such as netcat to inject input
- Use modified client (modified by reverse engineering) to inject input.
Step 3
Experiment
[Experiment with NoSQL Injection vulnerabilities] After determining that a given input is vulnerable to NoSQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, modify/delete information in the database, or execute commands on the server.
- Use public resources such as OWASP's "Testing for NoSQL Injection" [REF-668] or Null Sweep's "NoSQL Injection Cheatsheet" [REF-669] and try different approaches for adding logic to NoSQL queries.
- Iteratively add logic to the NoSQL query and use detailed error messages from the server to debug the query.
- Attempt an HTTP Parameter Pollution attack to replace language-specific keywords, such as "where" within PHP [CAPEC-460].
Step 4
Exploit
[Exploit NoSQL Injection vulnerability] After refining and adding various logic to NoSQL queries, craft and execute the underlying NoSQL query that will be used to attack the target system.
- Craft and Execute underlying NoSQL query

Examples

The following examples primarily cite MongoDB, PHP, and NodeJS attacks due to their prominence and popularity. However, please note that these attacks are not exclusive to this NoSQL instance, programming language, or runtime framework. Within NodeJS, Login Bypass attacks are possible via MongoDB if user-input is not properly validated and sanitized [REF-670]. //NodeJS with Express.js db.collection('users').find({ "user": req.query.user, "password": req.query.password }); The above code works fine if the user were to submit a query like the following: https://example.org/login?user=patrick&password=1234 But an adversary could submit a malicious query such as the below, which would be interpreted by the code as follows: https://example.org/login?user=patrick&password[$ne]= //NodeJS with Express.js db.collection('users').find({ "user": bob, "password": {"&ne": ""} }); This will result in a Login Bypass attack, as the query will succeed for all values where Bob's password is not an empty string.

MongoDB instances are also vulnerable to JavaScript Injection Attacks when user input is not properly validated and sanitized. //PHP with MongoDB db.collection.find({$where: function() { return (this.username == $username) } } ); If the user properly specifies a username, then this code will execute as intended. However, an adversary can inject JavaScript into the "$username" variable to achieve a NoSQL Injection attack as follows: //PHP with MongoDB db.collection.find({$where: function() { return (this.username == 'foo'; sleep(5000) ) } } ); This will result in the server sleeping for 5 seconds if the attack was successful. An adversary could supply a larger value to deny service to the application.

If leveraging PHP with MongoDB, operator replacement attacks are possible if special query operators are not properly addressed. The below example from OWASP's "Test for NoSQL Injection" displays a simple case of how this could occur.[REF-668] db.myCollection.find({$where: function() { return obj.credits - obj.debits < 0; } } ); Even though the above query does not depend on any user input, it is vulnerable to a NoSQL injection attack via operator replacement on the "$where" keyword. In this case, the adversary could exploit MongoDB in the following manner: $where: function() { //arbitrary JavaScript here }

CAPEC-676: NoSQL Injection

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Frequently asked questions

What is CAPEC-676?

How does a NoSQL Injection attack work?

How do you prevent CAPEC-676?

What weaknesses does CAPEC-676 target?

How severe is CAPEC-676?

References

Defend against CAPEC-676

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Related weaknesses

Related attack patterns

Parent

Related

Frequently asked questions

What is CAPEC-676?

How does a NoSQL Injection attack work?

How do you prevent CAPEC-676?

What weaknesses does CAPEC-676 target?

How severe is CAPEC-676?

References

Defend against CAPEC-676