Understanding NoSQL Injection and How to Prevent it

This article starts with "once upon a time" when I was learning MongoDB and thought that the schema less feature could be more secure than SQL Databases (SQL Injections). So I migrated all my projects to MongoDB and for the past few months I have been working on NoSQL Injection and writing a series of tutorials on it.

What Is An Injection

An injection is a security vulnerability that lets attackers take control of database queries through the unsafe use of user input. It can be used by an attacker to expose unauthorized information and odify data.

Let me give you a glimpse of NoSQL Injection first. Suppose, your application is accepting JSON username and password, so it can be bypassed by:

1
{
2
    "username": { "$ne": "malicious@example.com" },
3
    "password": { "$ne": "mymaliciouspassword" }
4
}

Now if on the backend you are using:

1
Model.findOne(req.body)
2
​
3
// or
4
​
5
Model.findOne({ username: req.body.username, password: req.body.password });

Then your application is vulnerable to NoSQL Injection.

How? Let's substitute those values:

1
Model
2
  .findOne({ 
3
    username: { 
4
      $ne: "malicious@example.com" 
5
    },
6
    password: {
7
      $ne: "mymaliciouspassword"
8
    }  
9
})

Now, if there is at least one document in the collection that doesn't have the same username and password as the attacker has passed, it can log in to your web application with the very first document that matches this criterion

Practical Example: https://mongoplayground.net/p/omLJSlWfR-w

Preventing NoSQL

There is only one thing you can do, "SANITIZATION" by casting the input to in specific type. Like in this case, casting username and password to String() would work. As you know String() on any object would be [object Object] so I am directly substituting the value here:

Model.findOne({
  username: "[object Object]",
  password: "[object Object]"
})

In production, this would be the rarest document in the collection.

Practical Demonstration: https://mongoplayground.net/p/XZKEXaypJjQ

ExpressJS Middle-Ware Approach

Four months ago I had created a question StackOverflow (https://stackoverflow.com/questions/59394484/expressjs-set-the-depth-of-json-parsing), to which a user named x00 posted the answer about the solution of setting up the depth of parsing nested JSON body.

Practical Demonstration:

1
...
2
const depth_limit = 2; // the depth of JSON to parse
3
​
4
app.use(express.json())
5
const get_depth = (obj) => {
6
    let depth = 0
7
    for (const key in obj) {
8
        if (obj[key] instanceof Object) {
9
            depth = Math.max(get_depth(obj[key]), depth)
10
        }
11
    }
12
    return depth + 1
13
}
14
​
15
const limit_depth = function(req, res, next) {
16
    if (get_depth(req.body) > depth_limit) throw new Error("Possible NoSQL Injection")
17
    next()
18
}
19
​
20
app.use(limit_depth)
21
...

Or if you want to use [object Object] notation to prevent application crash. I personally recommend you to use this one:

1
...
2
let depth_limit = 1; // the depth of JSON to parse
3
​
4
app.use(express.json())
5
let limit_depth = (obj, current_depth, limit) => {
6
    // traversing each key and then checking the depth
7
    for (const key in obj) {
8
        if (obj[key] instanceof Object) {
9
            if (current_depth + 1 === limit) {
10
                obj[key] = "[object Object]" // or something similar
11
            } else limit_depth(obj[key], current_depth + 1, limit)
12
        }
13
    }
14
}
15
​
16
// middle-ware in action
17
app.use(function(req, res, next) {
18
    limit_depth(req.body, 0, depth_limit);
19
    next()
20
})
21
...

Middle-ware in action

Practical Demonstration: https://repl.it/@tbhaxor/Preventing-NoSQL-Injection-in-Express

If you have some other cool ideas, I would love to hear from you. You can either comment down here or contact me at the following

• Twitter
• Instagram
• LinkedIn
• Email

References

• Introduction to NoSQL Injection
• NoSQL Injection Payloads
• NoSQLMap - Automated NoSQL database enumeration and web application exploitation tool.
• NoSQLi Lab