I'm starting to learn MongoDB and was curious if it was susceptible to some type of injection attack similar to SQLi. Due to the nature of the DB, I don't think you can inject into it but... What other type of attacks can be leveraged against MongoDB?
Asked
Active
Viewed 2.8k times
22
-
You should watch this video http://www.youtube.com/watch?v=Cy8-EYS3HeM It tells all about nosql databases . – kishan keswani Aug 02 '14 at 10:43
4 Answers
14
Insecure Direct Object Reference
Client-Side Enforcement of Server Side Security
Server-Side JavaScript Injection
Also MongoDB should not be accessible to the public. It can be password protected, and passwords can be brute-forced. Client-Side js can communicate with MongoDB directly, and MongoDB can authenticate individual users. However their authentication system is overly simplistic, and in practice I have only seen this design fail.
8
There are injection attacks against MongoDB, but these are largely mitigated by using proper data adapter libraries. Nonetheless, it's worth knowing that it's possible to inject in a few ways.
The first thing you've got to look out for is cases where you dynamically build a $where with JavaScript, using user input. By modifying their inputs, they may be able to alter your query. The second issue you've got to handle is injection of operators like $or (or parameters to such operators) which can alter the behaviour of the query. Both of these are mitigated by not using concatenation-style methods, but instead using libraries that work on data structures (e.g. JSON).
It may also be possible to escape the $ that precedes an operator, in order to provide alternative operators. Make sure you're properly escaping keys if user data is used in them.
All in all, I'd avoid stuff like NodeJS for anything security-critical. It's not been designed with any form of security in mind, and it's a young project. If you're consuming MongoDB from a different language, that's fine.
For more details, see MongoDB's FAQ.
Polynomial
- 132,208
- 43
- 298
- 379
3
First vulnerability similar to sql injection can be done in mongodb or nosql databases too. which would be mongodb injection.
Try to run mongodb on different port instead on default 27017 to avoid exposing. For official security practices you can always check out http://docs.mongodb.org/manual/administration/security/
It tell security practices that should be used with mongodb server.
Mongodb Injection :
its fully describes here for php how mongodb injection can take place in phpwebapp if client side data is not filtered properly. Also solution to mongodb injection too
http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/
Mongodb Null byte injection attack
http://www.idontplaydarts.com/2011/02/mongodb-null-byte-injection-attacks/
This is also a type of attack that is well written on this site , Have a look how certain fields in mongo collection can be overwritten using this method can this can be done in any webapp.
Abhishek
- 191
- 6
2
The tool NoSQLMap includes a lot of functionality that directly targets MongoDB.
https://github.com/tcstool/NoSQLMap
There is an even-better video available that shows all sorts of attacks.
You will also find that NoSQLMap calls out to the metasploit-framework, e.g., exploit/linux/misc/mongod_native_helper
The project also suggests a viewing of this DEF CON talk -- https://www.defcon.org/images/defcon-21/dc-21-presentations/Chow/DEFCON-21-Chow-Abusing-NoSQL-Databases.pdf
Another tool is the Nosql Exploitation Framework
https://github.com/torque59/Nosql-Exploitation-Framework
And yet another on GitHub here -- https://github.com/cyberpunkych/attacking_mongodb
It turns out that MongoDB has some bad defaults (e.g., anonymous access, /var/mongo/f.txt or default file locations, etc), easily-guessed albeit modified settings, and classic issues as well as web issues.
atdre
- 18,885
- 6
- 58
- 107