other type of db, non relational database. known as NoSQL. Attacks are possible here to and is known as NoSQLi. If attacks is successful then:

• Bypass authentication or protection mechanisms.
• Extract or edit data.
• Cause a denial of service.
• Execute code on the server.

NoSQL is made to handle large volumes of data, unstructured or semi-structured data. And they have fewer relational constraints and consistency checks than SQL.

Wide variety of NoSQL databases, so find model framework and language. Some common types:

• Document stores - store data in flexible, semi-structured documents. formats → JSON, BSON, and XML. queried in an API or query language. Eg: MongoDB, Couchbase
• Key-value stores - store data in a key-value format. Each data field is a unique key string. and value is fetched from the unique key. Eg: Redis, Amazon DynamoDB
• Wide-column stores - organize related data into flexible column families. Eg: Apache Cassandra, Apache HBase
• Graph databases - use nodes to store data entities, and edges to store relationships between entities. Examples: Neo4j, Amazon Neptune.

2 Types of NoSQLi

• Syntax injection - when you break the NoSQL query syntax, enabling you to inject your own payload. The methodology is similar to that used in SQL injection.
• Operator injection - when you can use NoSQL query operators to manipulate queries.

NoSQL Syntax Injection:

• detect NoSQL injection vulnerabilities by attempting to break the query syntax

  • test each input by submitting fuzz strings and special characters that trigger a database error or some other behaviour

    API language of db known? then use special characters that are used in that language.

    Also, encode the fuzzing string appropriately. If not then, it wont get executed in the db.

• After detecting a vulnerability, the next step is to determine whether you can influence boolean conditions using NoSQL syntax. using a true condition and a false condition.

  1. ' && 0 && 'x':

     • ' is a non-empty string, which is considered truthy.
     • 0 is a falsy value (evaluates to false).
     • 'x' is a non-empty string, which is considered truthy.

     the && operator requires all operands to be truthy for the entire expression to be truthy, the presence of 0 (falsy value) makes the entire expression ' && 0 && 'x' evaluate to false.

  2. ' && 1 && 'x':

     • ' is a non-empty string, which is considered truthy.
     • 1 is a truthy value (evaluates to true).
     • 'x' is a non-empty string, which is considered truthy.

     Since all operands are truthy, the expression ' && 1 && 'x' evaluates to true

If Boolean Conditions have been identified then inject JavaScript condition that always evaluates to true, such as '||1||'

• Lab: Detecting NoSQL injection

NoSQL Operator Injection:

• $where - Matches documents that satisfy a JavaScript expression.
  • db.users.find({$where: "this.username == '" + username + "' && this.password == '" + password + "'"})
• $ne - Matches all values that are not equal to a specified value.
  • db.users.find({username: {$ne: ""}, password: {$ne: ""}})
• $in - Matches all of the values specified in an array.
  • db.users.find({username: {$in: [username, "admin"]}})
• $exists - checks if a field exists in a document
  • db.users.find({username: username, password: {$exists: true}})
• $all - checks if a field matches all values in a list.
  • db.users.find({roles: {$all: ["admin", "user"]}})
• $eval - allows for arbitrary JavaScript code to be executed on the server,
  • db.runCommand({$eval: "db.collection.drop()"})
• $regex - Selects documents where values match a specified regular expression.
  • db.users.find({username: {$regex: ".*"}})

eg:

{"username":{"$ne":"invalid"}}

username[$ne]=invalid

{"username":{"$in":["admin","administrator","superadmin"]}

"password":{"$ne":""}}

{"username":{"$regex":"admin.*"}

pass[$ne]=""

{username: {$ne "fu"}, password: {$ne "bar"}}

user[$ne]=fu&pass[$ne]=bar

• Lab: Exploiting NoSQL operator injection to bypass authentication

Info can be extracted from this kind of NoSQLi. a NoSQL is present and attacker can start by reconning and trying to see if it gives different response on different conditions. passing conditional statements and seeing if responds differently or not. and with that we can exfiltrate data accordingly.

• Lab: Exploiting NoSQL injection to extract data