Sqreen, profile picture
Uploaded bySqreen
PDF, PPTX54,564 views

NoSQL Injections in Node.js - The case of MongoDB

This document discusses NoSQL injections in Node.js applications using MongoDB. It provides examples of how request body parameters can be used to alter MongoDB queries and presents best practices for validating user input to prevent injection attacks. These include using middleware to validate request data matches expected types and structures, or using libraries like Joi and Celebrate for schema-based validation. The document emphasizes that input validation is crucial to secure MongoDB queries from manipulation through user-supplied values.

Embed presentation

Download as PDF, PPTX
NoSQL INJECTIONS IN NODE.JS The case of MongoDB Vladimir de Turckheim 5 DEC 2016
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: ‘blog’ } { type: ‘blog’ } All documents which field ‘type’ equals ‘blog’
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: } { type: }
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: }
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } }
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } } All documents which field ‘type’ does not equal 0
WAIT, THERE IS WORST { $where:’this.amount > 0’ }
In MongoDB < 2.4, it is possible to perform all operations on a database from an injection (including dropDatabase).
VALIDATE WHAT GETS INSIDE YOUR APPLICATION hapi on a route, use config.validate express add a data validation middleware It can be a custom one It can use a third party library See tutorial online
</> EXPRESS: CUSTOM DATA VALIDATION MIDDLEWARE app.post('/documents/find', validate, (req, res) => ...); const validate = function (req, res, next) { const body = req.body; if (body.desiredType && !(typeof body.desiredType==='string')){ return next(new Error('title must be a string')); } next(); }; 1 2 3 4 5 6 7
</> EXPRESS: USING JOI AND CELEBRATE TO VALIDATE DATA app.post('/documents/find', validate, (req, res) => ...); const validate = Celebrate({ body: Joi.object.keys({ desiredType: Joi.string().optional() }) }); 1 2 3 4 5
THANKS FOR YOUR ATTENTION ! Contact me at vladimir@sqreen.io

More Related Content

PDF
Security Challenges in Node.js
byWebsecurify
 
PDF
Hack tutorial
byWakana Yoshizawa
 
PDF
お題でGroovyプログラミング: Part A
byKazuchika Sekiya
 
PDF
Postman On Steroids
bySara Tornincasa
 
PDF
Decoupling Objects With Standard Interfaces
byThomas Weinert
 
PDF
Asynchronous I/O in PHP
byThomas Weinert
 
PPTX
Bootstrap
byNexThoughts Technologies
 
PDF
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-
byTsuyoshi Yamamoto
 
Security Challenges in Node.js
byWebsecurify
 
Hack tutorial
byWakana Yoshizawa
 
お題でGroovyプログラミング: Part A
byKazuchika Sekiya
 
Postman On Steroids
bySara Tornincasa
 
Decoupling Objects With Standard Interfaces
byThomas Weinert
 
Asynchronous I/O in PHP
byThomas Weinert
 
Bootstrap
byNexThoughts Technologies
 
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-
byTsuyoshi Yamamoto
 

What's hot

PPT
Ruby on Rails Intro
byzhang tao
 
PDF
Javascript - Beyond-jQuery
byTanner Moushey ❖ Mission Lab - WordPress Agency
 
PPTX
Net/http and the http.handler interface
byJoakim Gustin
 
PDF
React for Beginners
byDerek Willian Stavis
 
ODP
The promise of asynchronous PHP
byWim Godden
 
TXT
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
byArian Gutierrez
 
PPTX
AngularJS - $http & $resource Services
byEyal Vardi
 
PPTX
Avoiding callback hell in Node js using promises
byAnkit Agarwal
 
PDF
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
byTsuyoshi Yamamoto
 
PDF
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
byTsuyoshi Yamamoto
 
PDF
Reactive Programming Patterns with RxSwift
byFlorent Pillet
 
PDF
New in MongoDB 2.6
bychristkv
 
PDF
Hd insight programming
byCasear Chu
 
PDF
Talk KVO with rac by Philippe Converset
byCocoaHeads France
 
PDF
JavaScript Promise
byJoseph Chiang
 
PDF
Javascript Continues Integration in Jenkins with AngularJS
byLadislav Prskavec
 
ODP
Introduccion a Jasmin
byRodrigo Quelca Sirpa
 
PDF
Finch.io - Purely Functional REST API with Finagle
byVladimir Kostyukov
 
PDF
JavaScript OOP Pattern
by지수 윤
 
PDF
RSpec
byMarco Otte-Witte
 
Ruby on Rails Intro
byzhang tao
 
Javascript - Beyond-jQuery
byTanner Moushey ❖ Mission Lab - WordPress Agency
 
Net/http and the http.handler interface
byJoakim Gustin
 
React for Beginners
byDerek Willian Stavis
 
The promise of asynchronous PHP
byWim Godden
 
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
byArian Gutierrez
 
AngularJS - $http & $resource Services
byEyal Vardi
 
Avoiding callback hell in Node js using promises
byAnkit Agarwal
 
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
byTsuyoshi Yamamoto
 
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
byTsuyoshi Yamamoto
 
Reactive Programming Patterns with RxSwift
byFlorent Pillet
 
New in MongoDB 2.6
bychristkv
 
Hd insight programming
byCasear Chu
 
Talk KVO with rac by Philippe Converset
byCocoaHeads France
 
JavaScript Promise
byJoseph Chiang
 
Javascript Continues Integration in Jenkins with AngularJS
byLadislav Prskavec
 
Introduccion a Jasmin
byRodrigo Quelca Sirpa
 
Finch.io - Purely Functional REST API with Finagle
byVladimir Kostyukov
 
JavaScript OOP Pattern
by지수 윤
 
RSpec
byMarco Otte-Witte
 

Viewers also liked

PPTX
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
by44CON
 
PPTX
Rest api code completion for javascript - dotjs 2015
byjohannes_fiala
 
PPTX
DotJS Lightning Talk Vorlon.js
byEtienne Margraff
 
PDF
dotJS 2015
byBrendan Eich
 
PPTX
Pug - a compiler pipeline
byForbes Lindesay
 
PDF
Query mechanisms for NoSQL databases
byArangoDB Database
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
by44CON
 
Rest api code completion for javascript - dotjs 2015
byjohannes_fiala
 
DotJS Lightning Talk Vorlon.js
byEtienne Margraff
 
dotJS 2015
byBrendan Eich
 
Pug - a compiler pipeline
byForbes Lindesay
 
Query mechanisms for NoSQL databases
byArangoDB Database
 

Similar to NoSQL Injections in Node.js - The case of MongoDB

PDF
Mongoskin - Guilin
byJackson Tian
 
PDF
Mongodb mock test_ii
byAnkit Dubey
 
PPS
MongoDB crud
byDarshan Jayarama
 
DOCX
Mongoose getting started-Mongo Db with Node js
byPallavi Srivastava
 
PPTX
Webinar: Building Your First App in Node.js
byMongoDB
 
PPTX
Webinar: Building Your First App in Node.js
byMongoDB
 
PDF
Mongo db basics
byHarischandra M K
 
PPTX
mongodb introduction11111111111111111111
byVADAPALLYPRAVEENKUMA1
 
PPTX
Mongo Nosql CRUD Operations
byanujaggarwal49
 
KEY
Introduction to MongoDB
byAlex Bilbie
 
PPTX
Introduction to MongoDB – A NoSQL Database
bymanikgupta2k04
 
PDF
The emerging world of mongo db csp
byCarlos Sánchez Pérez
 
PDF
full stack modul 5, mongodb,webpack,front-end,back-end
byleapsky6
 
PDF
12 mongo db_and_nodejs
byAhmed Elbassel
 
PDF
MongoDB and Node.js
byNorberto Leite
 
PPTX
Introduction to MongoDB
byS.Shayan Daneshvar
 
PPTX
MongoDB using Grails plugin by puneet behl
byTO THE NEW | Technology
 
PPTX
Document validation in MongoDB 3.2
byAndrew Morgan
 
PPTX
Mongo DB 102
byAbhijeet Vaikar
 
PDF
Mongo db
byToki Kanno
 
Mongoskin - Guilin
byJackson Tian
 
Mongodb mock test_ii
byAnkit Dubey
 
MongoDB crud
byDarshan Jayarama
 
Mongoose getting started-Mongo Db with Node js
byPallavi Srivastava
 
Webinar: Building Your First App in Node.js
byMongoDB
 
Webinar: Building Your First App in Node.js
byMongoDB
 
Mongo db basics
byHarischandra M K
 
mongodb introduction11111111111111111111
byVADAPALLYPRAVEENKUMA1
 
Mongo Nosql CRUD Operations
byanujaggarwal49
 
Introduction to MongoDB
byAlex Bilbie
 
Introduction to MongoDB – A NoSQL Database
bymanikgupta2k04
 
The emerging world of mongo db csp
byCarlos Sánchez Pérez
 
full stack modul 5, mongodb,webpack,front-end,back-end
byleapsky6
 
12 mongo db_and_nodejs
byAhmed Elbassel
 
MongoDB and Node.js
byNorberto Leite
 
Introduction to MongoDB
byS.Shayan Daneshvar
 
MongoDB using Grails plugin by puneet behl
byTO THE NEW | Technology
 
Document validation in MongoDB 3.2
byAndrew Morgan
 
Mongo DB 102
byAbhijeet Vaikar
 
Mongo db
byToki Kanno
 

More from Sqreen

PDF
Protecting against injections at scale
bySqreen
 
PDF
Serverless security - how to protect what you don't see?
bySqreen
 
PDF
Writing a Python C extension
bySqreen
 
PDF
Api days 2018 - API Security by Sqreen
bySqreen
 
PDF
Application Security from the Inside - OWASP
bySqreen
 
PDF
Tune your App Perf (and get fit for summer)
bySqreen
 
PDF
Instrument Rack to visualize
 Rails requests processing
bySqreen
 
PDF
Ruby on Rails security in your Continuous Integration
bySqreen
 
Protecting against injections at scale
bySqreen
 
Serverless security - how to protect what you don't see?
bySqreen
 
Writing a Python C extension
bySqreen
 
Api days 2018 - API Security by Sqreen
bySqreen
 
Application Security from the Inside - OWASP
bySqreen
 
Tune your App Perf (and get fit for summer)
bySqreen
 
Instrument Rack to visualize
 Rails requests processing
bySqreen
 
Ruby on Rails security in your Continuous Integration
bySqreen
 

Recently uploaded

PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PDF
AI Driven & AI Native Development AI native development
byZainKarim7
 
PPTX
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
PDF
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
PPTX
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PDF
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
PDF
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
PDF
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
PDF
MAD (1).pdf Mobile application develipment
byprathiT1
 
PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PPTX
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
PDF
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
DOCX
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknowtechs
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
AI Driven & AI Native Development AI native development
byZainKarim7
 
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
MAD (1).pdf Mobile application develipment
byprathiT1
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
Information about Trusted Platform Module(TPM)
bynewtoknowtechs
 

NoSQL Injections in Node.js - The case of MongoDB

  • 1.
    NoSQL INJECTIONS INNODE.JS The case of MongoDB Vladimir de Turckheim 5 DEC 2016
  • 2.
    </> IN PRACTICEapp.post(‘/documents/find’,(req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
  • 3.
    </> IN PRACTICEapp.post(‘/documents/find’,(req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
  • 4.
    </> IN PRACTICEapp.post(‘/documents/find’,(req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: ‘blog’ } { type: ‘blog’ } All documents which field ‘type’ equals ‘blog’
  • 5.
    </> IN PRACTICEapp.post(‘/documents/find’,(req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: } { type: }
  • 6.
    </> IN PRACTICEapp.post(‘/documents/find’,(req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: }
  • 7.
    </> IN PRACTICEapp.post(‘/documents/find’,(req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } }
  • 8.
    </> IN PRACTICEapp.post(‘/documents/find’,(req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } } All documents which field ‘type’ does not equal 0
  • 9.
    WAIT, THERE ISWORST { $where:’this.amount > 0’ }
  • 10.
    In MongoDB <2.4, it is possible to perform all operations on a database from an injection (including dropDatabase).
  • 11.
    VALIDATE WHAT GETSINSIDE YOUR APPLICATION hapi on a route, use config.validate express add a data validation middleware It can be a custom one It can use a third party library See tutorial online
  • 12.
    </> EXPRESS: CUSTOMDATA VALIDATION MIDDLEWARE app.post('/documents/find', validate, (req, res) => ...); const validate = function (req, res, next) { const body = req.body; if (body.desiredType && !(typeof body.desiredType==='string')){ return next(new Error('title must be a string')); } next(); }; 1 2 3 4 5 6 7
  • 13.
    </> EXPRESS: USINGJOI AND CELEBRATE TO VALIDATE DATA app.post('/documents/find', validate, (req, res) => ...); const validate = Celebrate({ body: Joi.object.keys({ desiredType: Joi.string().optional() }) }); 1 2 3 4 5
  • 14.
    THANKS FOR YOURATTENTION ! Contact me at vladimir@sqreen.io