Mis à jour : il y a 18 heures
In my last article, we saw how SQL injections work and some techniques to defend against them. However, NoSQL databases are becoming increasingly popular. It's hard to deny their speed and ease of handling unstructured data, especially with development teams increasingly working with agile methodologies.
It takes time for developers to get rid of the vulnerabilities and other problems of emerging technologies. It is only after they have been used for some time in production applications that the problems start to surface.
NoSQL databases are similar. Developers need to be aware of the main risks in order to ensure the security of their applications. One of these risks is NoSQL injection.
Let's take a look at what NoSQL injection is, the damage it can cause and how to fix it.
Understanding NoSQL injection
NoSQL injection is caused by many of the same injection vulnerabilities as SQL injection.
NoSQL injection allows attackers to place arbitrary commands in a NoSQL query. This allows them to steal data and even make changes to the database if their privileges are high enough.
MongoDB databases are one of the most popular playgrounds to exploit with this vulnerability. '$ne: ""' is the operator equivalent to 1=1 in the NoSQL world, so, as an example, an attacker could place the characters '$ne: ""' in the username and password fields of a user interface. If the code is vulnerable to NoSQL injection, the database will search for all records where the username and password do not match an empty string. In other words: all records. Ouch!
If this database is not encrypted, then the attacker could steal the usernames and passwords of every user in it. This includes the usernames and passwords of administrators, giving them unlimited access to the entire database.
Attackers often try to pass values that are always true. Another common attack is to inject malicious code into properties that are defined as functions.
Why is NoSQL injection dangerous?
NoSQL injection is dangerous mainly because it has not yet received the attention it deserves from the cybersecurity community.
The impacts of NoSQL injection are much the same as those of traditional SQL injection. Data can be stolen, modified, or even deleted if a delete command is successfully issued. Accounts can also be compromised by data theft.
Ultimately, MongoDB and other NoSQL database engines are vulnerable to attack. "No SQL does not mean no injections.
Fortunately, some in the community, including CyberSecura, are taking note and spreading the word. More developers need to educate themselves so that they can protect their applications from little-known vicious attacks that can become a huge headache if exploited.
Defeating NoSQL injection
NoSQL injection can be difficult to defeat. Unfortunately, there is no way to perform parameterized queries as there is with SQL injection. However, there are a few options to help you:
Sometimes the simplest approach is enough to be the most effective. Here, code review is your strongest ally.
➡ Make sure that the user's input is consistent with their legitimate class. If it is a number, use a number, if it is a string, use a string and so on.
➡ Any object passed by an "attacker" should not be treated as an object, but as a string. This can be done by using drivers such as Mongoose that allow you to define a schema for your NoSQL database. If you set Mongoose to make your entries strings, they will be constructed as strings.
Strengthen the security of your database! Create low-privilege user accounts, optimise query execution time, and always follow the security best practices that apply to your organisation.
Encrypt your data in your NoSQL databases. This way, even if it has been breached, it will remain unreadable.
One drawback of the ease of use of NoSQL databases is the tendency of developers to use them without worrying about security.
It is essential to learn how to use a NoSQL database safely and thus protect against NoSQL injections.
To summarise, you need to :
Disinfect your input before using it in a NoSQL query expression;
Use plugins/drivers that help you (like Mongoose);
Perform code reviews that specifically examine how input data is used in queries;
Adopting an automatic auditing policy (possibly implemented by us) to try to find vulnerabilities in your code;
Applying "least privilege" which can be a good Defence in Depth (DID) strategy in case someone finds a vulnerability in your application.
Would you like to be informed of our news and receive our latest blog articles directly in your mailbox ? Subscribe to our monthly newsletter !
Would you like to discuss your difficulties, your needs, our offers ? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts !