{'xhtml:p': 'An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.'}
Description
Attack Execution Flow
4
1
Step 1
Explore[Survey target application] Due to the number of NoSQL databases available and the numerous language/API combinations of each, the adversary must first survey the target application to learn what technologies are being leveraged and how they interact with user-driven data.
Determine the technology stack leveraged by the target application, such as the application server, drivers, frameworks, APIs, and databases being utilized.
Identify areas of the application that interact with user input and may be involved with NoSQL queries.
AI Translation
[Survey target application] A causa del numero di database NoSQL disponibili e delle numerose combinazioni di linguaggi/API di ciascuno, l’adversary deve prima condurre un survey dell’applicazione target per apprendere quali tecnologie vengono utilizzate e come interagiscono con i dati generati dagli utenti.
Determina lo stack tecnologico impiegato dall’applicazione target, come il server applicativo, i driver, i framework, le API e i database utilizzati.
Identifica le aree dell’applicazione che interagiscono con l’input dell’utente e che potrebbero essere coinvolte nelle query NoSQL.
Attack Techniques
-
Determine the technology stack leveraged by the target application, such as the application server, drivers, frameworks, APIs, and databases being utilized.
-
Identify areas of the application that interact with user input and may be involved with NoSQL queries.IT: Determina lo stack tecnologico utilizzato dall'applicazione target, come il server applicativo, i driver, i framework, le API e i database impiegati.
2
Step 2
Experiment[Identify user-controllable input susceptible to injection] After identifying the technology stack being used and where user-driven input is leveraged, determine the user-controllable input susceptible to injection such as authentication or search forms. For each user-controllable input that the adversary suspects is vulnerable to NoSQL injection, attempt to inject characters or keywords that have special meaning in the given NoSQL database or language (e.g., '$ne' for MongoDB or '$exists' for PHP/MongoDB), or JavaScript that can be executed within the application. The goal is to create a NoSQL query with an invalid syntax.
Use web browser to inject input through text fields or through HTTP GET parameters.
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
Use network-level packet injection tools such as netcat to inject input
Use modified client (modified by reverse engineering) to inject input.
AI Translation
Sperimentazione
[Identificare gli input controllabili dall'utente suscettibili di injection] Dopo aver identificato lo stack tecnologico utilizzato e dove viene sfruttato l'input guidato dall'utente, determinare gli input controllabili dall'utente suscettibili di injection come moduli di autenticazione o di ricerca. Per ciascun input controllabile dall'utente che l'attaccante sospetta essere vulnerabile a NoSQL injection, tentare di iniettare caratteri o parole chiave che hanno un significato speciale nel database NoSQL o nel linguaggio utilizzato (ad esempio, "$ne" per MongoDB o "$exists" per PHP/MongoDB), o JavaScript che può essere eseguito all’interno dell’applicazione. L’obiettivo è creare una query NoSQL con una sintassi non valida.
Utilizzare il browser web per iniettare input tramite campi di testo o parametri HTTP GET.
Utilizzare uno strumento di debug di applicazioni web come Tamper Data, TamperIE, WebScarab, ecc. per modificare i parametri HTTP POST, campi nascosti, campi non liberi, ecc.
Utilizzare strumenti di injection di pacchetti a livello di rete come netcat per iniettare input.
Utilizzare client modificati (modificati tramite reverse engineering) per iniettare input.
Attack Techniques
-
Use network-level packet injection tools such as netcat to inject input
-
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.IT: Utilizza strumenti di iniezione di pacchetti a livello di rete come netcat per iniettare input
-
Use modified client (modified by reverse engineering) to inject input.IT: Utilizza strumenti di iniezione di pacchetti a livello di rete come netcat per iniettare input
-
Use web browser to inject input through text fields or through HTTP GET parameters.IT: Utilizza strumenti di iniezione di pacchetti a livello di rete come netcat per iniettare input
3
Step 3
Experiment[Experiment with NoSQL Injection vulnerabilities] After determining that a given input is vulnerable to NoSQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, modify/delete information in the database, or execute commands on the server.
Use public resources such as OWASP's 'Testing for NoSQL Injection' [REF-668] or Null Sweep's 'NoSQL Injection Cheatsheet' [REF-669] and try different approaches for adding logic to NoSQL queries.
Iteratively add logic to the NoSQL query and use detailed error messages from the server to debug the query.
Attempt an HTTP Parameter Pollution attack to replace language-specific keywords, such as 'where' within PHP [CAPEC-460].
AI Translation
Sperimentazione
[Esperimento con vulnerabilità di NoSQL Injection] Dopo aver determinato che un determinato input è vulnerabile a NoSQL Injection, ipotizza come potrebbe apparire la query sottostante. Cerca iterativamente di aggiungere logica alla query per estrarre informazioni dal database, modificare/eliminare dati nel database o eseguire comandi sul server.
Utilizza risorse pubbliche come "Testing for NoSQL Injection" di OWASP [REF-668] o "NoSQL Injection Cheatsheet" di Null Sweep [REF-669] e prova approcci diversi per aggiungere logica alle query NoSQL.
Aggiungi iterativamente logica alla query NoSQL e utilizza messaggi di errore dettagliati dal server per eseguire il debug della query.
Prova un attacco di HTTP Parameter Pollution per sostituire parole chiave specifiche del linguaggio, come "where" all’interno di PHP [CAPEC-460].
Attack Techniques
-
Use public resources such as OWASP's "Testing for NoSQL Injection" [REF-668] or Null Sweep's "NoSQL Injection Cheatsheet" [REF-669] and try different approaches for adding logic to NoSQL queries.
-
Iteratively add logic to the NoSQL query and use detailed error messages from the server to debug the query.IT: Utilizza risorse pubbliche come "Testing for NoSQL Injection" di OWASP [REF-668] o "NoSQL Injection Cheatsheet" di Null Sweep [REF-669] e sperimenta diverse strategie per aggiungere logica alle query NoSQL.
-
Attempt an HTTP Parameter Pollution attack to replace language-specific keywords, such as "where" within PHP [CAPEC-460].IT: Utilizza risorse pubbliche come "Testing for NoSQL Injection" di OWASP [REF-668] o "NoSQL Injection Cheatsheet" di Null Sweep [REF-669] e sperimenta diverse strategie per aggiungere logica alle query NoSQL.
4
Step 4
Exploit[Exploit NoSQL Injection vulnerability] After refining and adding various logic to NoSQL queries, craft and execute the underlying NoSQL query that will be used to attack the target system.
Craft and Execute underlying NoSQL query
AI Translation
[Exploit NoSQL Injection vulnerability] Dopo aver perfezionato e aggiunto varie logiche alle query NoSQL, crea ed esegui la query NoSQL sottostante che verrà utilizzata per attaccare il sistema target.
Creare ed eseguire la query NoSQL sottostante
Attack Techniques
-
Craft and Execute underlying NoSQL query
Mitigations
8
Strong Input Validation - All User-Controllable Input Must Be Validated And Filtered For Illegal Characters As Well As Relevant Nosql And Javascript Content. Nosql-Specific Keywords, Such As $Ne, $Eq Or $Gt For Mongodb, Must Be Filtered In Addition To Characters Such As A Single-Quote(') Or Semicolons (;) Based On The Context In Which They Appear. Validation Should Also Extend To Expected Types.
Ensure The Most Recent Version Of A Nosql Database And It'S Corresponding Api Are Used By The Application.
If Possible, Leverage Safe Apis (E.G., Pymongo And Flask-Pymongo For Python And Mongodb) For Queries As Opposed To Building Queries From Strings.
Use Of Custom Error Pages - Adversaries Can Glean Information About The Nature Of Queries From Descriptive Error Messages. Input Validation Must Be Coupled With Customized Error Pages That Inform About An Error Without Disclosing Information About The Database Or Application.
If Using Mongodb, Disable Server-Side Javascript Execution And Leverage A Sanitization Module Such As "Mongo-Sanitize".
Exercise The Principle Of Least Privilege With Regards To Application Accounts To Minimize Damage If A Nosql Injection Attack Is Successful.
Additional Mitigations Will Depend On The Nosql Database, Api, And Programming Language Leveraged By The Application.
If Using Php With Mongodb, Ensure All Special Query Operators (Starting With $) Use Single Quotes To Prevent Operator Replacement Attacks.
Consequences
Security Scopes Affected
Access Control
Authorization
Availability
Confidentiality
Integrity
Potential Impacts
Execute Unauthorized Commands
Gain Privileges
Modify Data
Read Data
Indicators
2
Too many false or invalid queries to the database, especially those caused by malformed input.
Executed queries or commands that appear to malicious in nature or originating from an untrustworthy source.
Relationships
Parent CAPECs
Resources Required
1
None: No specialized resources are required to execute this type of attack.