Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Data MongoDB nosql injection

I have a question. Are queries in mongo repositories in spring data safe from NoSQL injection attack? Is it possible to successfully perform such attack on spring-boot application ? For example if I create interface which extends MongoRepository with my own methods, are default queries generated in safe way that such attack is not possible? Thanks

like image 462
Ajris Avatar asked Oct 16 '22 15:10

Ajris


1 Answers

I created small Spring Boot application with one mongo repository. I performed some basic NoSQL injection attacks on it, and just to be sure that they work, I did it also using Robo3T and checked that output was as I expected. For example, making query like:

db.getCollection('user').find({
"login":"f1", 
"password" : { '$ne': null } })

would give me all users with that login which exists in database. I made this attacks with doing such { '$ne': null } for String field type.(also I did some other attacks with other types, but i will explain my other conclusions later) As I figured out, in that way, it's impossible to provide our own commands. Spring just made this look like:

"password":"{ '$ne': null }"

and whenever we try to maybe end it with "", it would just add \ to our query, for example:

{ "login" : "f1", "password" : "\"end earlier\"" }

I also checked making other requests(mostly from here: https://github.com/cr0hn/nosqlinjection_wordlists/blob/master/mongodb_nosqli.txt as I found it here https://www.owasp.org/index.php/Testing_for_NoSQL_injection, maybe these links would help someone), however none of them was successful. So as far as I am concerned they were prepared on such cases like NoSQL Injection and they secured it. However, I would be grateful if someone could uphold or disagree with my opinion(which was based on performed attacks) and provide some more proofs or examples. Thanks.

like image 128
Ajris Avatar answered Oct 21 '22 05:10

Ajris