Coders Conquer Security: Share & Learn Series - NoSQL Injection
NoSQL databases are becoming more and more popular. It's hard to deny their speed and ease of dealing with unstructured data, especially with dev teams working to increasingly agile methodologies.
It takes time for developers to shake out vulnerabilities and other challenges in emerging technology. Only after it has been in use for some time in production applications do problems begin to bubble to the surface.
NoSQL databases are similar. There are key risks developers should be aware of so they can keep their applications safe. One such risk is NoSQL injection.
Let's take a look at what NoSQL injection is, what damage it can cause, and how to fix it:
Understand NoSQL Injection
NoSQL injection is caused by many of the same injection vulnerabilities such as XML or SQL injection.
NoSQL injection allows attackers to place arbitrary commands into a NoSQL query. This allows them to steal data and even make changes to the database if their privileges are high enough.
When an application places user-controlled data directly into a NoSQL query expression, these expressions often take functions or have built-in operators that can be manipulated to steal or change data. And when such a thing is executed with malicious intent, the consequences can be dire.
MongoDB databases are one of the most popular playgrounds to exploit with this vulnerability. "$ne: ""'is the operator equivalent to 1=1 in the SQL world, so, by way of example, an attacker could place the characters "$ne: “”’ into the username and password fields of a UI. If the code is vulnerable to NoSQL injection, the database will search for all records where the username and password do not equal an empty string. In other words: all of them. Yikes.
If this database is unencrypted, then the attacker could steal the usernames and passwords of every single user within it. This includes administrator username and passwords, giving them an all-access pass to the entire database.
Attackers often try to pass-in values that are always true. Another common attack is to inject malicious code into properties that are set to functions.
For example, MongoDB uses a find function that takes an object with a property called $where. The $where property is set to a function that should evaluate to true or false. If this function is changed in any way by user input, a NoSQL injection likely lurks there.
For a nicely detailed look at the intricacies of NoSQL injection, check out this InfoQ article.
Know Why NoSQL Injection is Dangerous
NoSQL injection is dangerous mostly because it hasn't yet received the scrutiny from the security community it deserves.
The impacts of NoSQL injection are much the same as with traditional SQL injection. Data can be stolen or changed, accounts can be compromised by stealing data and, perhaps most viciously, data could be completely wiped out if a delete command is successfully issued.
The bottom line is that MongoDB and other NoSQL database engines are vulnerable to attack. "No SQL" doesn't mean no injections.
Thankfully, some in the community are taking note and putting the word out. More developers need to educate themselves so they can protect their apps from little-known nasties that can become a huge headache if exploited.
Defeat NoSQL Injection
NoSQL injection can be difficult to defeat. Unfortunately, there isn't the option of parameterized queries as there is with SQL injection. However, it's not impossible. There are a few options to help you out:
- Fuzzers can be used as one method to detect vulnerabilities. Although, as is the case with many things in life, the simplest approach can be the most effective. Here, good old code review is your strongest ally.
- When reviewing code, look for possible places where user input could set the value of an expression or change a function. Don't allow user input to change your queries.
- Be sure to cast user input to its rightful class. If its a number, cast it to a number, if its a string, cast to a string and so on.
- Never use $where or similar eval functions along with user input. In most cases, you can work around it by changing the data model or schema.
- Try using Mongoose as your MongoDB driver. Mongoose allows you to define a schema for your NoSQL database. If you tell Mongoose that your inputs are strings, they will be cast to strings. So, any objects passed in by an attacker will not be treated as objects, but as strings.
- Harden your DB! Create low-privilege user accounts, maximize execution time for queries, and always follow the security best practices that apply to your organization.
A disadvantage of NoSQL databases'ease of use is the tendency of developers to stand them up and start using them with no thought about security.
It's essential that you take the time to learn how to securely stand up a NoSQL database and protect yourself from NoSQL injections.
For instance, MongoDB Enterprise Edition has advanced access control capabilities for your documents. Enforcing "least privilege'can be a good Defense in Depth (DiD) strategy in case someone were to find a vulnerability in your application.
To sum up, here's what we have:
- Sanitize your input before using it in a NoSQL query expression
- Use drivers that help you out, like Mongoose
- Perform code reviews that look specifically at how input data is used within queries
- Use fuzzers and scanners to try to help find vulnerabilities in your code.
NoSQL is not No Injections
NoSQL databases are quickly gaining popularity due to their scalable features and speed of setup. The newness of the technology can lead developers to use NoSQL databases without thinking of how to secure them.
NoSQL databases can be just as vulnerable as SQL databases to injection attacks, so act with caution and pay attention to your queries. If you want to learn more, check out our Learning Resources or test your skills with our free demo.
Prepare yourself ahead of time and you won't need to worry about NoSQL injections in your applications. Too easy!
Think youre ready to locate, identify and fix NoSQL injection right now? Enter the secure code arena, warrior:
And thats a wrap for 2018! This will be our final post for the year, but well be back with the next Coders Conquer Security guide on January 10th, 2019. See you soon!
NoSQL databases are becoming increasingly popular. It's hard to deny their speed and ease of dealing with unstructured data, but as use becomes widespread, more vulnerabilities inevitably bubble to the surface.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoJaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
NoSQL databases are becoming more and more popular. It's hard to deny their speed and ease of dealing with unstructured data, especially with dev teams working to increasingly agile methodologies.
It takes time for developers to shake out vulnerabilities and other challenges in emerging technology. Only after it has been in use for some time in production applications do problems begin to bubble to the surface.
NoSQL databases are similar. There are key risks developers should be aware of so they can keep their applications safe. One such risk is NoSQL injection.
Let's take a look at what NoSQL injection is, what damage it can cause, and how to fix it:
Understand NoSQL Injection
NoSQL injection is caused by many of the same injection vulnerabilities such as XML or SQL injection.
NoSQL injection allows attackers to place arbitrary commands into a NoSQL query. This allows them to steal data and even make changes to the database if their privileges are high enough.
When an application places user-controlled data directly into a NoSQL query expression, these expressions often take functions or have built-in operators that can be manipulated to steal or change data. And when such a thing is executed with malicious intent, the consequences can be dire.
MongoDB databases are one of the most popular playgrounds to exploit with this vulnerability. "$ne: ""'is the operator equivalent to 1=1 in the SQL world, so, by way of example, an attacker could place the characters "$ne: “”’ into the username and password fields of a UI. If the code is vulnerable to NoSQL injection, the database will search for all records where the username and password do not equal an empty string. In other words: all of them. Yikes.
If this database is unencrypted, then the attacker could steal the usernames and passwords of every single user within it. This includes administrator username and passwords, giving them an all-access pass to the entire database.
Attackers often try to pass-in values that are always true. Another common attack is to inject malicious code into properties that are set to functions.
For example, MongoDB uses a find function that takes an object with a property called $where. The $where property is set to a function that should evaluate to true or false. If this function is changed in any way by user input, a NoSQL injection likely lurks there.
For a nicely detailed look at the intricacies of NoSQL injection, check out this InfoQ article.
Know Why NoSQL Injection is Dangerous
NoSQL injection is dangerous mostly because it hasn't yet received the scrutiny from the security community it deserves.
The impacts of NoSQL injection are much the same as with traditional SQL injection. Data can be stolen or changed, accounts can be compromised by stealing data and, perhaps most viciously, data could be completely wiped out if a delete command is successfully issued.
The bottom line is that MongoDB and other NoSQL database engines are vulnerable to attack. "No SQL" doesn't mean no injections.
Thankfully, some in the community are taking note and putting the word out. More developers need to educate themselves so they can protect their apps from little-known nasties that can become a huge headache if exploited.
Defeat NoSQL Injection
NoSQL injection can be difficult to defeat. Unfortunately, there isn't the option of parameterized queries as there is with SQL injection. However, it's not impossible. There are a few options to help you out:
- Fuzzers can be used as one method to detect vulnerabilities. Although, as is the case with many things in life, the simplest approach can be the most effective. Here, good old code review is your strongest ally.
- When reviewing code, look for possible places where user input could set the value of an expression or change a function. Don't allow user input to change your queries.
- Be sure to cast user input to its rightful class. If its a number, cast it to a number, if its a string, cast to a string and so on.
- Never use $where or similar eval functions along with user input. In most cases, you can work around it by changing the data model or schema.
- Try using Mongoose as your MongoDB driver. Mongoose allows you to define a schema for your NoSQL database. If you tell Mongoose that your inputs are strings, they will be cast to strings. So, any objects passed in by an attacker will not be treated as objects, but as strings.
- Harden your DB! Create low-privilege user accounts, maximize execution time for queries, and always follow the security best practices that apply to your organization.
A disadvantage of NoSQL databases'ease of use is the tendency of developers to stand them up and start using them with no thought about security.
It's essential that you take the time to learn how to securely stand up a NoSQL database and protect yourself from NoSQL injections.
For instance, MongoDB Enterprise Edition has advanced access control capabilities for your documents. Enforcing "least privilege'can be a good Defense in Depth (DiD) strategy in case someone were to find a vulnerability in your application.
To sum up, here's what we have:
- Sanitize your input before using it in a NoSQL query expression
- Use drivers that help you out, like Mongoose
- Perform code reviews that look specifically at how input data is used within queries
- Use fuzzers and scanners to try to help find vulnerabilities in your code.
NoSQL is not No Injections
NoSQL databases are quickly gaining popularity due to their scalable features and speed of setup. The newness of the technology can lead developers to use NoSQL databases without thinking of how to secure them.
NoSQL databases can be just as vulnerable as SQL databases to injection attacks, so act with caution and pay attention to your queries. If you want to learn more, check out our Learning Resources or test your skills with our free demo.
Prepare yourself ahead of time and you won't need to worry about NoSQL injections in your applications. Too easy!
Think youre ready to locate, identify and fix NoSQL injection right now? Enter the secure code arena, warrior:
And thats a wrap for 2018! This will be our final post for the year, but well be back with the next Coders Conquer Security guide on January 10th, 2019. See you soon!
NoSQL databases are becoming more and more popular. It's hard to deny their speed and ease of dealing with unstructured data, especially with dev teams working to increasingly agile methodologies.
It takes time for developers to shake out vulnerabilities and other challenges in emerging technology. Only after it has been in use for some time in production applications do problems begin to bubble to the surface.
NoSQL databases are similar. There are key risks developers should be aware of so they can keep their applications safe. One such risk is NoSQL injection.
Let's take a look at what NoSQL injection is, what damage it can cause, and how to fix it:
Understand NoSQL Injection
NoSQL injection is caused by many of the same injection vulnerabilities such as XML or SQL injection.
NoSQL injection allows attackers to place arbitrary commands into a NoSQL query. This allows them to steal data and even make changes to the database if their privileges are high enough.
When an application places user-controlled data directly into a NoSQL query expression, these expressions often take functions or have built-in operators that can be manipulated to steal or change data. And when such a thing is executed with malicious intent, the consequences can be dire.
MongoDB databases are one of the most popular playgrounds to exploit with this vulnerability. "$ne: ""'is the operator equivalent to 1=1 in the SQL world, so, by way of example, an attacker could place the characters "$ne: “”’ into the username and password fields of a UI. If the code is vulnerable to NoSQL injection, the database will search for all records where the username and password do not equal an empty string. In other words: all of them. Yikes.
If this database is unencrypted, then the attacker could steal the usernames and passwords of every single user within it. This includes administrator username and passwords, giving them an all-access pass to the entire database.
Attackers often try to pass-in values that are always true. Another common attack is to inject malicious code into properties that are set to functions.
For example, MongoDB uses a find function that takes an object with a property called $where. The $where property is set to a function that should evaluate to true or false. If this function is changed in any way by user input, a NoSQL injection likely lurks there.
For a nicely detailed look at the intricacies of NoSQL injection, check out this InfoQ article.
Know Why NoSQL Injection is Dangerous
NoSQL injection is dangerous mostly because it hasn't yet received the scrutiny from the security community it deserves.
The impacts of NoSQL injection are much the same as with traditional SQL injection. Data can be stolen or changed, accounts can be compromised by stealing data and, perhaps most viciously, data could be completely wiped out if a delete command is successfully issued.
The bottom line is that MongoDB and other NoSQL database engines are vulnerable to attack. "No SQL" doesn't mean no injections.
Thankfully, some in the community are taking note and putting the word out. More developers need to educate themselves so they can protect their apps from little-known nasties that can become a huge headache if exploited.
Defeat NoSQL Injection
NoSQL injection can be difficult to defeat. Unfortunately, there isn't the option of parameterized queries as there is with SQL injection. However, it's not impossible. There are a few options to help you out:
- Fuzzers can be used as one method to detect vulnerabilities. Although, as is the case with many things in life, the simplest approach can be the most effective. Here, good old code review is your strongest ally.
- When reviewing code, look for possible places where user input could set the value of an expression or change a function. Don't allow user input to change your queries.
- Be sure to cast user input to its rightful class. If its a number, cast it to a number, if its a string, cast to a string and so on.
- Never use $where or similar eval functions along with user input. In most cases, you can work around it by changing the data model or schema.
- Try using Mongoose as your MongoDB driver. Mongoose allows you to define a schema for your NoSQL database. If you tell Mongoose that your inputs are strings, they will be cast to strings. So, any objects passed in by an attacker will not be treated as objects, but as strings.
- Harden your DB! Create low-privilege user accounts, maximize execution time for queries, and always follow the security best practices that apply to your organization.
A disadvantage of NoSQL databases'ease of use is the tendency of developers to stand them up and start using them with no thought about security.
It's essential that you take the time to learn how to securely stand up a NoSQL database and protect yourself from NoSQL injections.
For instance, MongoDB Enterprise Edition has advanced access control capabilities for your documents. Enforcing "least privilege'can be a good Defense in Depth (DiD) strategy in case someone were to find a vulnerability in your application.
To sum up, here's what we have:
- Sanitize your input before using it in a NoSQL query expression
- Use drivers that help you out, like Mongoose
- Perform code reviews that look specifically at how input data is used within queries
- Use fuzzers and scanners to try to help find vulnerabilities in your code.
NoSQL is not No Injections
NoSQL databases are quickly gaining popularity due to their scalable features and speed of setup. The newness of the technology can lead developers to use NoSQL databases without thinking of how to secure them.
NoSQL databases can be just as vulnerable as SQL databases to injection attacks, so act with caution and pay attention to your queries. If you want to learn more, check out our Learning Resources or test your skills with our free demo.
Prepare yourself ahead of time and you won't need to worry about NoSQL injections in your applications. Too easy!
Think youre ready to locate, identify and fix NoSQL injection right now? Enter the secure code arena, warrior:
And thats a wrap for 2018! This will be our final post for the year, but well be back with the next Coders Conquer Security guide on January 10th, 2019. See you soon!
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoJaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
NoSQL databases are becoming more and more popular. It's hard to deny their speed and ease of dealing with unstructured data, especially with dev teams working to increasingly agile methodologies.
It takes time for developers to shake out vulnerabilities and other challenges in emerging technology. Only after it has been in use for some time in production applications do problems begin to bubble to the surface.
NoSQL databases are similar. There are key risks developers should be aware of so they can keep their applications safe. One such risk is NoSQL injection.
Let's take a look at what NoSQL injection is, what damage it can cause, and how to fix it:
Understand NoSQL Injection
NoSQL injection is caused by many of the same injection vulnerabilities such as XML or SQL injection.
NoSQL injection allows attackers to place arbitrary commands into a NoSQL query. This allows them to steal data and even make changes to the database if their privileges are high enough.
When an application places user-controlled data directly into a NoSQL query expression, these expressions often take functions or have built-in operators that can be manipulated to steal or change data. And when such a thing is executed with malicious intent, the consequences can be dire.
MongoDB databases are one of the most popular playgrounds to exploit with this vulnerability. "$ne: ""'is the operator equivalent to 1=1 in the SQL world, so, by way of example, an attacker could place the characters "$ne: “”’ into the username and password fields of a UI. If the code is vulnerable to NoSQL injection, the database will search for all records where the username and password do not equal an empty string. In other words: all of them. Yikes.
If this database is unencrypted, then the attacker could steal the usernames and passwords of every single user within it. This includes administrator username and passwords, giving them an all-access pass to the entire database.
Attackers often try to pass-in values that are always true. Another common attack is to inject malicious code into properties that are set to functions.
For example, MongoDB uses a find function that takes an object with a property called $where. The $where property is set to a function that should evaluate to true or false. If this function is changed in any way by user input, a NoSQL injection likely lurks there.
For a nicely detailed look at the intricacies of NoSQL injection, check out this InfoQ article.
Know Why NoSQL Injection is Dangerous
NoSQL injection is dangerous mostly because it hasn't yet received the scrutiny from the security community it deserves.
The impacts of NoSQL injection are much the same as with traditional SQL injection. Data can be stolen or changed, accounts can be compromised by stealing data and, perhaps most viciously, data could be completely wiped out if a delete command is successfully issued.
The bottom line is that MongoDB and other NoSQL database engines are vulnerable to attack. "No SQL" doesn't mean no injections.
Thankfully, some in the community are taking note and putting the word out. More developers need to educate themselves so they can protect their apps from little-known nasties that can become a huge headache if exploited.
Defeat NoSQL Injection
NoSQL injection can be difficult to defeat. Unfortunately, there isn't the option of parameterized queries as there is with SQL injection. However, it's not impossible. There are a few options to help you out:
- Fuzzers can be used as one method to detect vulnerabilities. Although, as is the case with many things in life, the simplest approach can be the most effective. Here, good old code review is your strongest ally.
- When reviewing code, look for possible places where user input could set the value of an expression or change a function. Don't allow user input to change your queries.
- Be sure to cast user input to its rightful class. If its a number, cast it to a number, if its a string, cast to a string and so on.
- Never use $where or similar eval functions along with user input. In most cases, you can work around it by changing the data model or schema.
- Try using Mongoose as your MongoDB driver. Mongoose allows you to define a schema for your NoSQL database. If you tell Mongoose that your inputs are strings, they will be cast to strings. So, any objects passed in by an attacker will not be treated as objects, but as strings.
- Harden your DB! Create low-privilege user accounts, maximize execution time for queries, and always follow the security best practices that apply to your organization.
A disadvantage of NoSQL databases'ease of use is the tendency of developers to stand them up and start using them with no thought about security.
It's essential that you take the time to learn how to securely stand up a NoSQL database and protect yourself from NoSQL injections.
For instance, MongoDB Enterprise Edition has advanced access control capabilities for your documents. Enforcing "least privilege'can be a good Defense in Depth (DiD) strategy in case someone were to find a vulnerability in your application.
To sum up, here's what we have:
- Sanitize your input before using it in a NoSQL query expression
- Use drivers that help you out, like Mongoose
- Perform code reviews that look specifically at how input data is used within queries
- Use fuzzers and scanners to try to help find vulnerabilities in your code.
NoSQL is not No Injections
NoSQL databases are quickly gaining popularity due to their scalable features and speed of setup. The newness of the technology can lead developers to use NoSQL databases without thinking of how to secure them.
NoSQL databases can be just as vulnerable as SQL databases to injection attacks, so act with caution and pay attention to your queries. If you want to learn more, check out our Learning Resources or test your skills with our free demo.
Prepare yourself ahead of time and you won't need to worry about NoSQL injections in your applications. Too easy!
Think youre ready to locate, identify and fix NoSQL injection right now? Enter the secure code arena, warrior:
And thats a wrap for 2018! This will be our final post for the year, but well be back with the next Coders Conquer Security guide on January 10th, 2019. See you soon!
Table of contents
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Resources to get you started
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.