NoSQL Injection SEC642. Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques S

Transcription

1 SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques S NoSQL Injection Copyright Justin Searle and Adrien de Beaupré All Rights Reserved Version D01_01

2 About me Consultant Principal SANS Instructor InfoSec full time since 2000 Black Belt & Martial Arts Enthusiast CoAuthor of SANS SEC 460 and 642

3 Modern Penetration Testing Use the features of the operating system Use the features of the network protocols Use the features of the web application New framework = new features to learn Exploitation is just making use of new features in ways that might not have been anticipated, or known to implementers / developers 3 SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 3

4 THE MEAN STACK End-to-end JavaScript from client to database MEAN is a lightweight MVC framework Found on Mean.io The components are: mongodb (NoSQL Database) Express (MVC Framework) AngularJS (Client-Side Framework) Node.JS (JavaScript Server) SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 4

5 NoSQL DATABASES: DEFINITION No standards between platforms, no common query language Security features: Authentication: Often not enabled by default, and if available, limited. Some databases require additional software like proxies for authentication. Access Controls: Many NoSQL databases, even if they require users to authenticate, do not use different roles. All users have access to everything. Auditing: Some NoSQL Databases do not log, at all. Hit-and-miss if TLS is built into the database. Encryption is normally not provided beyond filesystem encryption. Only few NoSQL databases provide data encryption features. SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 5

6 DATABASES SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 6

7 MONGODB MongoDB is a Document-Oriented Database It does not use traditional SQL: Uses NoSQL formatted in JSON-like messages Language called BSON, or Binary JSON Different than a relational database, the schemas are dynamic and can be changed on demand Queries can include JavaScript functions "Mongo only pawn in game of life" SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 7

8 UNDERSTANDING HOW NoSQL WORKS SQL Made of rows and tables Generally ACID-compliant: Atomicity Consistency Isolation Durability Maintains consistency even if limits scalability NoSQL Made of key-value pairs: MongoDB has "documents" Riak has "buckets" Generally BASE-compliant: Basically Available Soft State Eventually Consistent Trades consistency for scalability SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 8

9 NoSQL vs. SQL SQL: MySQL Example SQL Queries: SELECT * FROM users where ID=1; Update a User: UPDATE users SET password = '<input>' WHERE ID = <#>; Create Table: CREATE TABLE users (id MEDIUMINT NOT NULL AUTO INCREMENT, user_id Varchar(30)) NoSQL: MongoDB Example NoSQL Queries: db.users.find({user_id: 1,}) Example User Update: db.users.update({user_id: <#>}, {$set: {password:'<input>'}}) Create Table: db.createcollection('users') SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 9

10 MONGODB NOSQL INJECTION MongoDB, like other NoSQL backended databases, will not be vulnerable to SQL injection as you may traditionally understand it Injection attacks use JSON or BSON to control queries on databases: MongoDB is often attacked via its $where operator (similar to SQL's where clause) Arbitrary JavaScript may also be injected into unprotected db.eval(), mapreduce, and group operators Parameter injection like so: The [$ne] is added so that it evaluates potentially as user not equal SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 10

11 MONGODB FUZZING Things to try for Mongo NoSQLi: JavaScript -> Inserting a function can be interesting! Json -> / { } : Trigger MongoDB syntax error -> ' " \ ; { } Insert logic -> ' '1' == '1' ; // Comment out -> // Operators -> $where $gt $lt $ne $regex Mongo commands -> db.getcollectionnames() SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 11

12 NOSQL INJECTION METHODOLOGY Have a baseline valid request for comparison Attempt to cause a syntax error response from the database Inject operators that modify the query Inject logic to cause the query to return multiple records Inject new records that modify the schema <- careful! Delete or modify records <- careful! Inject JavaScript Inject JSON or BSON directly to the database Access REST APIs, management interfaces, or the database directly SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 12

13 NOSQL INJECTION PROJECTS Tools: NoSQLMap NoSQL Exploitation Framework FuzzDB list of injection strings (all 21 lines) Some commercial automated web application scanners Vulnerable applications: One written by Robin "digininja" Wood Bundled in NoSQLMap Written for the Websecurify blog post on NoSQL Injection Many others, likely not intentional though! SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 13

14 Demo! SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 14

15 Demo: NoSQL INJECTION mongo.sec642.org Click on Guess_The_Key Type in a guess Now we have a baseline SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 15

16 Demo: NoSQL INJECTION GUESS_THE_KEY SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 16

17 Demo: NoSQL INJECTION ASKING FOR THE KEY With the stack trace, we can create the attack The context of their code dictates our exploit Close off the previous logic, insert new logic, comment off the rest of the line ' ; return key; // Voila, the key value appears SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 17

18 Demo: NoSQL INJECTION USER LOOKUP Return to the home page Click on User_Lookup Type in a name We now see a valid but negative response Type in sid to see a valid and positive response for our baseline SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 18

19 Demo: NoSQL INJECTION USING QUERY PARAMETERS Entering sid gave us a valid query and response Fuzzing gave us nothing useful We will need to insert JavaScript, logic, or query operators to achieve our goal [$ne], [$gt], and [$regex] will help use here. SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 19

20 Demo: NoSQL INJECTION USING QUERY PARAMETERS type[$ne]=user& username[$ne]=sid Success! type[$regex]=.*& username[$regex]=.* Dumps the whole table! SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 20 20

21 Demo: NoSQL INJECTION LOGIN We want to be administrator! There are three parameters: type, username, password How can we bypass the password check once we have a valid username and user type? SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 21

22 Demo: NoSQL INJECTION AUTHENTICATION BYPASS Query operators once again. type[$ne]=user &username[$ne]=foo &password=bar' '1'=='1 SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 22

23 New series of web app pen test cheat sheets Crowdsource! SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 23

24 Questions? SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 24

25 COURSE RESOURCES AND CONTACT INFORMATION AUTHOR CONTACT Moses Frost Justin Adrien de PEN TESTING RESOURCES pen-testing.sans.org SANS INSTITUTE Rockville Pike, Suite 200 North Bethesda, MD SANS(7267) SANS GENERAL INQUIRIES: REGISTRATION: TUITION: PRESS/PR: SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 25