Security Resource Hub
Ethical Hacking

Topic 7: No-SQL Injection

Complete & Continue Next Lesson Learn More

Understanding No-SQL Injections

No-SQL injections occur when attackers exploit vulnerabilities in non-relational (No-SQL) databases to access or manipulate data. Unlike traditional SQL databases, No-SQL databases use non-structured query languages and have different data storage and retrieval mechanisms.

When attackers successfully execute a No-SQL injection, they can bypass authentication, access sensitive information, or modify data within the database.

NoSQL injections are when dynamic database queries can be used and manipulated by supplying active and unexpected user input, such as Binary and Query Object types. 

  • A popular NoSQL database is MongoDB. 

  • Query objects can circumvent server-side by using Recon of client-side javascript to find API endpoints and payloads associated with them.

  • User validation issues are common and leverage usernames & passwords. Issues normally arise within an underlying library, allowing malicious attackers to inject dynamic characters. 

  • Eg: db.accounts.find({username: “U_value”, password: “P_value”}) 

  • If there are no issues with the underlying library, the other way to inject malicious code would be via Nested Query objects. Eg: username: “admin”, password: “{exist: True}”

Types of No-SQL Injection:

  • Comparison: {$gt: 0}

  • Logical: {$not: " "}

  • Element: {$exists: true}

  • Evaluation: $where <= An evaluation query generally matches documents that satisfy a Javascript Expression. 

    • db.collection.find({'$where' ⇒ 'this.name === ' + <Inject_EvilINPUT>}) ';

  • Comment: Through a comment query operator, an attacker can inject an XSS payload inside the comment tag. It can be used to reflect the XSS on server logs. If an admin looks at them through their browser, it would be vulnerable to remote code execution functionalities.

    • db.collection.find({ <query>, $comment: "<script> EVIL code </script>" })

This can have severe consequences for organizations, including data breaches, loss of data integrity, and compromised system availability.
Protecting against No-SQL injections requires robust security measures such as input validation, parameterized queries, and proper access control. Additionally, staying informed about emerging threats and regularly updating database security protocols is essential for safeguarding against No-SQL injection attacks.

No-SQL Injection Mitigation Strategies:

  • Input Validation and Sanitization: Make sure that the underlying library is Sanitized. User inputs must match the expected type. For example, if you expect a string, the string should not feature any dynamic value.

  • Least Privilege Principle:

    • When configuring database access controls, follow the principle of least privilege. Limit the privileges of application accounts to only the necessary database operations and collections/documents.

    • Avoid granting unnecessary permissions that could be exploited during a NoSQL injection attack.

  • Parameterized Queries:

    • Use parameterized queries or prepared statements to interact with the NoSQL database whenever possible. Parameterized queries separate the query logic from the user input, preventing malicious input from altering the query structure.

    • Always avoid using query operators in user inputs such as where, MapReduce, etc.

    • Use [ODM] Object Document Mapping or [ORM] Object Relational Mapping

  • For additional safety, set javascriptEnabled to False