Contents
V5627. OWASP. Possible NoSQL injection. Potentially tainted data is used to create query.
The analyzer has detected unverified external data that is used to create a query to a NoSQL database. This can lead to a NoSQL injection if the data is compromised.
Injections make a separate category in the OWASP Top 10 Application Security Risks 2021: A3:2021-Injection.
Look at the following example:
public IFindFluent<BsonDocument, BsonDocument> Authentication()
{
String log = Request.Form["login"];
String pass = Request.Form["password"];
String filter = "{$where: \"function() {" +
$"return this.login=='{log}' && this.password=='{pass}'"+
";}\"}";
return collection.Find(filter);
}The 'Authentication' method looks for a user account in MongoDB, the NoSQL database, by username and password. The 'filter' string that contains JavaScript code is created for this. This string helps filter the search results. In SQL, the following query operates in a similar fashion: SELECT * FROM collection WHERE login = @log AND password = @pass.
The values of the 'log' and 'pass' strings from an external source are used to create the filter. Such use of unverified data allows attackers to inject malicious code in a query.
The following example shows how an attacker could use this string instead of the expected 'pass' value:
"-1' || this.login == 'admin"Then accessing the database may look as follows:
{$where: "function()
{
return this.login == 'doesn't matter'
&& this.password == '-1'
|| this.login == 'admin';
}"}In this case, the query will return the administrator account data.
To protect users against NoSQL injections, databases provide tools for creating parameterized queries.
Here is an example of a secure query:
public IFindFluent<BsonDocument, BsonDocument> Authentication()
{
String log = Request.Form["login"];
String pass = Request.Form["password"];
var filter = Builders<BsonDocument>.Filter.Eq("login", log)
& Builders<BsonDocument>.Filter.Eq("password", pass);
return collection.Find(filter);
}The filter is created here with the help of a special 'Builders' class. Due to this, the query will be parameterized and external data will not be able to affect the filter's logic.
The analyzer also considers the parameters of methods available from other builds as sources of insecure data. You can read more about it in our note: "Why you should check values of public methods' parameters".
Here's the example:
public class MongoDBRep
{
public void DeleteItemsByCounter(string count)
{
DeleteMany(count);
}
private void DeleteMany(string count)
{
var filter = "{$where:\"function(){return this.count == "+count+";}\"}";
collection.DeleteMany(filter);
}
}Here, potentially tainted data from the 'count' parameter is passed to the 'DeleteMany' method, where tainted data is used without verification to delete records from the database.
Attackers can create a query of the type as follows:
{$where: "function()
{
return this.count == -999
|| 1 == 1;
}"}Execution of this query causes all database documents to be deleted, regardless of the 'count' field value.
In this case, we recommend you to protect yourself in the same way that was given above.
This diagnostic is classified as:
|
Was this page helpful?
