Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NoSQL Injections in Node.js - The case of MongoDB

32,514 views

Published on

NoSQL Injections in Node.js - The case of MongoDB

Published in: Technology
  • Be the first to comment

NoSQL Injections in Node.js - The case of MongoDB

  1. 1. NoSQL INJECTIONS IN NODE.JS The case of MongoDB Vladimir de Turckheim 5 DEC 2016
  2. 2. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
  3. 3. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
  4. 4. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: ‘blog’ } { type: ‘blog’ } All documents which field ‘type’ equals ‘blog’
  5. 5. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: } { type: }
  6. 6. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: }
  7. 7. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } }
  8. 8. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } } All documents which field ‘type’ does not equal 0
  9. 9. WAIT, THERE IS WORST { $where:’this.amount > 0’ }
  10. 10. In MongoDB < 2.4, it is possible to perform all operations on a database from an injection (including dropDatabase).
  11. 11. VALIDATE WHAT GETS INSIDE YOUR APPLICATION hapi on a route, use config.validate express add a data validation middleware It can be a custom one It can use a third party library See tutorial online
  12. 12. </> EXPRESS: CUSTOM DATA VALIDATION MIDDLEWARE app.post('/documents/find', validate, (req, res) => ...); const validate = function (req, res, next) { const body = req.body; if (body.desiredType && !(typeof body.desiredType==='string')){ return next(new Error('title must be a string')); } next(); }; 1 2 3 4 5 6 7
  13. 13. </> EXPRESS: USING JOI AND CELEBRATE TO VALIDATE DATA app.post('/documents/find', validate, (req, res) => ...); const validate = Celebrate({ body: Joi.object.keys({ desiredType: Joi.string().optional() }) }); 1 2 3 4 5
  14. 14. THANKS FOR YOUR ATTENTION ! Contact me at vladimir@sqreen.io

×