NoSQL Injection For Beginners | TryHackMe NoSQL Injection
We covered an introduction to NoSQL, the difference between NoSQL & SQL and NoSQL operators. We discussed the two basic types of NoSQL injection, mainly syntax based NoSQL injection and Operators-based. We covered the practical scenario from TryHackMe NoSQL Injection for demo purposes.
Components of a NoSQL Database
Documents
You can think of these documents as a simple dictionary structure where key-value pairs are stored. In a way, they are very similar to what you would call a record on a traditional relational database, but the information is just stored differently. For example, let’s say we are creating a web application for the HR department, and we would like to store basic employee information. You would then create a document for each employee containing the data in a format that looks like this:
field: used for columns
{"_id" : ObjectId("5f077332de2cdf808d26cd74")"username" : "lphillips", "first_name" : "Logan", "last_name" : "Phillips", "age" : "65", "email" : "lphillips@example.com" }Collections
MongoDB allows you to group multiple documents with a similar function together in higher hierarchy structures called collections for organizational purposes. Collections are the equivalent of tables in relational databases.
Multiple collections are finally grouped in databases, which is the highest hierarchical element in MongoDB.
Operators
$eq - matches records that equal to a certain value$ne - matches records that are not equal to a certain value$gt - matches records that are greater than a certain value.$where - matches records based on Javascript condition$exists - matches records that have a certain field$regex - matches records that satisfy certain regular expressions.
The root cause of NoSQL Injection
The root cause of an injection attack is that improper concatenation of untrusted user input into a command can allow an attacker to alter the command itself. With SQL injection, the most common approach is to inject a single or double quote, that terminates the current data concatenation and allows the attacker to modify the query. The same approach applies to NoSQL Injection. If untrusted user input is directly added to the query, we have the opportunity to modify the query itself. However, with NoSQL Injection, even if we can’t escape the current query, we still have the opportunity to manipulate the query itself.
Types of NoSQL Injection
Syntax Injection
This is similar to SQL injection, where we have the ability to break out of the query and inject our own payload. The key difference to SQL injection is the syntax used to perform the injection attack. Since most libraries used to create the queries apply filters that prevent you from injection into the syntax, this type is not as popular.
- Operator Injection
Even if we can’t break out of the query, we could potentially inject a NoSQL query operator that manipulates the query’s behavior, allowing us to stage attacks such as authentication bypasses.
Check out the video below for detailed explanation.
Room Answers | TryHackMe NoSQL Injection
Room answers can be found here.
