Add example for NoSQL injection scenario #6
Description
Hi team! In the previous issue I suggested to add NoSQL injection attack scenario to the A8:2019 section.
Possible scenarios:
Scenario 1
We have MEAN stack application with basic CRUD functionality for operations with bookings.
Attacker managed to identify that NoSQL injection might be possible through bookingId query string parameter in delete booking request.
Request looks like:
DELETE /bookings?bookingId=678
On server side, application uses the following function to handle a request:
router.delete('/bookings', async function (req, res, next) {
try {
const deletedBooking = await Bookings.findOneAndRemove({'_id' : req.query.bookingId});
res.status(200);
} catch (err) {
res.status(400).json({error: 'Unexpected error occured while processing a request'});
};
Attacker intercepted the request and changed bookingId query string parameter as below:
DELETE /bookings?bookingId[$ne]=678
As a result, an attacker managed to delete another user booking.
Scenario 2
Application uses the MongoDB on a server side. Application developers forgot about proper data validation during implementation of log in functionality and it looks like following:
router.put('/auth/login', async function(req, res, next) => {
const email = req.body.email;
const password = req.body.password;
const authenticatedUser = await Users.findOne({email: email, password: password});
if (authenticatedUser)
res.status(200).json({users: authenticatedUser});
else
res.status(400).json({error: 'Invalid email or password!'});
})
Attacker modifed login request payload and send it to the server. Modified request listed below:
PUT /auth/login
{"email":{"$ne":"john@example.com"},"password":{"$ne":"mypass234"}}
Request was completed successfully and an attacker got access to another user account.