Blog Details

  • NoSql and NoSql Injection
img
Others

What’s The NoSql?

NoSql is the generic name for non-relational databases. These databases store data in a different format than relational tables.

Why Use NoSql Database?

NoSql databases are used in projects such as developing more flexible applications, working with big data and real-time (instant) web applications. The two biggest reasons for their use here are high accessibility and scalability. They are also faster than relational databases. It can be formed more quickly according to the needs of the applications and is more compatible in terms of storage.

What are the Features of NoSql Databases?

They are flexible. They provide the ability to respond faster and iteratively in terms of flexible schema and data storage.

Scalable. They eliminate the necessity of using expensive and permanent servers with the support of the expansion feature due to the distributed data structure.

They have high performance. NoSql databases, which are optimized for data models and access patterns, have higher performance than other database types.

They are functional. The data types and APIs they provide have a high rate of functionality because they are prepared according to data models.
It is easy for portability. NoSql databases can be easily moved with storage devices.

They provide convenience in terms of identification. Data can be stored and defined in JSON and XML format without the need for tables or rows.

NoSql Database Types

Key Value: It is the most flexible NoSql database type. It allows full control over the database.

Document Based: It is a type of NoSql database used to store and manage semi-structured data.

Chart: It is a NoSql database type that works with connected datasets. It is mostly used in projects such as social networks and fraud detection infrastructures.

Search: They index and accumulate kept logs and metrics and search them, providing a fast visualization and analysis of the data in real time.

In-Memory: It provides timely and trouble-free operation of applications that need to be responded at very high speeds and that can generate high traffic at any time.

What is NoSql Injection?

It is the type of injection that occurs in non-relational databases. It is different from Sql Injection as there is no query string usage in non-relational databases.

Looking at how NoSql filters are built, it may seem impossible to bypass them to inject any payload as they rely on creating a structured array. Unlike the SQL Injection vulnerability, where queries are normally built with simple string concatenation, NoSql queries require nested associative arrays. In other words, for NoSqli attack, it is necessary to be able to inject arrays into the application. It turns out that PHP and many languages ​​allow us to pass an array in the POST Request Body using the following notation:

The web application makes a query to MongoDB using the “myapp” database and the “login” collection. It’s asking for any document that passes the [‘username’ => $user, ‘password’ => $pass] filter.

Let’s send an array with the following content to the $user and $pass variables:

$user = [‘$ne’ => ‘xxxx’]

$pass = [‘$ne’ => ‘yyyy’]

If we could send an array like this as a result of our filter:

[$user = [‘$ne’ => ‘xxxx’], $pass = [‘$ne’ => ‘yyyy’]]

We can trick the database into returning any document where the username is not equal to ‘xxxx’ and the password is not equal to ‘yyyy’. This will probably return us all the documents in the login collection.

The unresolved issue is how to pass a directory as part of a POST http request. It turns out that PHP and many other languages ​​allow us to pass an array in the POST request body using the following notation:

user[$ne]=xxxx&pass[$ne]=yyyy

Time Based NoSql Injection (NoSQL DoS)

We can examine Time Based Injection by going through the WASP Juice Shop. You can follow the github link to download OWASP Juice Shop.

When we click on the Eggfruit Juice (500ml) product on the OWASP Juice Shop, we can see the following request when we look at the network area from DevTools.

From this request, we can understand that the data is pulled according to the id part. So, our key is the id value, which is necessary for us to fetch data from the db, and it is equal to 3 in this request. Since we are used to it here, we can do a lot of Sql Injection experiments. But we will not encounter any vulnerabilities or access any useful information.
Considering that a database other than Sql databases is used here, we will make other experiments. We will try Time Based NoSql Injection by using the sleep function instead of the id value in the request.
As can be seen in the image below, we can see that the response returns late when we give the sleep(1000) value instead of the id value. Thus, NoSql Injection worked without any problems.

NoSql Manipulation

We are adding a “test1” comment for Eggfruit Juice (500ml).

Then click to edit this comment.

While editing the comment, we will try to manipulate it by changing the id value. We will try to affect the values ​​where the id value is not null as the data is moving according to the id value as a reference. So by using $ne we will have changed all the comments in the database to mean “not equal”. So we will change the request shown below.

When we change and send the request seen above as below, we will see that all comments are edited and the manipulation is successful.

Thanks to NoSql Injection, we can see that the comments have changed.