This document summarizes Patrycja Wegrzynowicz's presentation on NoSQL injection at CodeOne 2018. It introduces the speaker's background and covers various types of NoSQL injection attacks like tautologies, union queries, and piggy-backed queries. The presentation demonstrates these attacks on sample applications and provides recommendations for protecting against NoSQL injection like input validation, parameter binding, and secure database configuration. It emphasizes that security risks exist beyond just injections and are not specific to MongoDB.

1. The Hacker’s Guide
to NoSQL Injec9on
Patrycja Wegrzynowicz
CTO, Yon Labs/Yonita
CodeOne 2018

2. About Me
• 20+ professional experience
• SoRware engineer, architect, head of
soRware R&D
• Author and speaker
• JavaOne, Devoxx, JavaZone, TheServerSide
Java Symposium, Jazoon, OOPSLA, ASE,
others
• Top 10 Women in Tech 2016 in Poland
• Founder and CTO of Yon Labs/Yonita
• Consul9ng, trainings and code audits
• Automated detec9on and refactoring of
soRware defects
• Security, performance, concurrency,
databases
• Twi]er @yonlabs

3. About Me
• 20+ professional experience
• SoRware engineer, architect, head of soRware
R&D
• Author and speaker
• JavaOne, Devoxx, JavaZone, TheServerSide
Java Symposium, Jazoon, OOPSLA, ASE, others
• Top 10 Women in Tech 2016 in Poland
• Founder and CTO of Yon Labs and Yonita
• Bridge the gap between the industry and the
academia
• Automated detec9on and refactoring of
soRware defects
• Trainings and code reviews
• Security, performance, concurrency, databases
• Twi]er @yonlabs

4. Agenda
• Security horror stories
• Demos of NoSQL injec9on
• Protec9on against NoSQL injec9on
• Common NoSQL misconfigura9ons

5. Security Horror Stories
#!/bin/bash

6. SQL Injection
6
xkdc

7. Simple SQL/ORM Injection
7
String custId = request.getParameter(”cust_id”)
String sqlQuery = ”SELECT * FROM ACCOUNT WHERE CUST_ID=“ + custId;
String jpqlQuery = ”from Account where custId=“ + custId
http://www.example.com/app/accountView?cust_id=0 or 1=1
http://www.example.com/app/accountView?cust_id%3D0%20or%201%3D1%0A
SELECT * FROM ACCOUNT WHERE CUST_ID=0 or 1=1
from Account where custId=0 or 1=1

8. Interesting Injections
8

9. Interesting Injections
9

10. SQL Injection Damage
• Loss of confidentiality
• SELECT ... WHERE ... OR 1=1
• Loss of integrity
• 5; DROP TABLE ACCOUNTS;
• Loss of availability
• 5; BENCHMARK(99999999,MD5(NOW()))
10

11. Db Engines Ranking
11
h&ps://db-engines.com/en/ranking

12. NoSQL Injection?

13. NoSQL Injection?
13
h&ps://intellipaat.com/blog/what-is-mongodb/

14. NoSQL Horror Stories
14

15. OWASP Top 10 Risks 2017

16. Demo #1
• Bypass Authen9ca9on: Known Account Name
• h]p://demo.yonita.com:3000

17. Demo #1 Attack Vector
17

18. Problem?
• Take a look at source code

19. Demo #2
• Bypass Authen9ca9on: Unknown Account Name
• h]p://demo.yonita.com:3000
• Please register :-)

20. Demo #2 A]ack Vector

21. Hashed Passwords
• Login
• Hash provided password
• Search for User in mongodb with a given username and hashed
password

22. Hashed Passwords
• Login
• Hash provided password
• Search for User in mongodb with a given username and hashed
password
• Dic9onary search
• Many users => some have simple passwords
• Use salted passwords
• e.g. bcrypt

23. Demo #3
Expose Data
• h]p://demo.yonita.com:3000
• Private notes about CodeOne
• Please register
• Leave your note about CodeOne => I’ll will read all of
them :-)

24. NoSQL Injec9on
Tautologies
• A]ack Intent
• Bypassing authen9ca9on
• Iden9fying injectable parameters
• Extrac9ng data
• Descrip9on
• Injec9ng code that the condi9on always evaluates to true
• Example
• Demo #1

25. NoSQL Injec9on
Union Queries
• A]ack Intent
• Bypassing authen9ca9on, extrac9ng data
• Descrip9on
• Changes the data set returned for a given query
• Example
• Demo #2

26. NoSQL Injec9on
Piggy-Backed Queries
• A]ack Intent
• Extrac9ng data, adding or modifying data, performing
denial of service, execu9ng remote commands
• Descrip9on
• Injec9ng addi9onal JS into the original query
• Example
Robb', $where: ‘func9on(){
sleep(5000); return this.name == “Robb"}'
})

27. Blind NoSQL Injec9on
http://www.example.com/app/viewArticle?articleId=5
The article displayed No article error
or
1=1
and
1=2

28. Blind NoSQL Injec9on
Real World Example

29. Blind NoSQL Injec9on
Real World Example

30. Blind NoSQL Injec9on
Real World Example

31. Blind NoSQL Injec9on
Real World Example - Exploit

32. Blind NoSQL Injec9on
Real World Example - Patch

33. Protec9on against NoSQL Injec9on
Primary Defences
• User input
• Strong type checking
• Input valida9on
• White-list valida9on
• Input sani9za9on
• Escaping all user supplied input
• Use proper API
• No string concatena9on
• Beware of template engines
• Bind parameters

34. Protec9on against NoSQL Injec9on
Addi9onal Defences
• Applica9on tes9ng
• Black-box tes9ng
• Sta9c code checkers
• Dynamic analysis
• Tools in the middle
• Intrusion detec9on systems
• Proxy filtering
• Web applica9on firewalls

35. MongoDb Default Configura9on

36. MongoDb Security Check List
• Enable Access Control and Enforce Authen9ca9on
• Configure Role-Based Access Control
• Encrypt Communica9on
• Limit Network Exposure
• > 3.6 bind only to localhost
• Run MongoDB with Secure Configura9on Op9ons
• mapReduce, group, $where
• —noscrip9ng op9on

37. Remember!
It’s not all about injec9ons!

38. And it’s not all about MongoDb!

39. A fool with a tool is only a fool!

40. Con9nuous Learning

41. Q&A
• patrycja@yonita.com
• @yonlabs