SlideShare a Scribd company logo

NoSQL Injections in Node.js - The case of MongoDB

Sqreen
Sqreen

NoSQL Injections in Node.js - The case of MongoDB

Technology
1 of 14
Download to read offline
NoSQL INJECTIONS IN NODE.JS The case of MongoDB Vladimir de Turckheim 5 DEC 2016
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: ‘blog’ } { type: ‘blog’ } All documents which field ‘type’ equals ‘blog’
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: } { type: }
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: }
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } }
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } } All documents which field ‘type’ does not equal 0
WAIT, THERE IS WORST { $where:’this.amount > 0’ }
In MongoDB < 2.4, it is possible to perform all operations on a database from an injection (including dropDatabase).
VALIDATE WHAT GETS INSIDE YOUR APPLICATION hapi on a route, use config.validate express add a data validation middleware It can be a custom one It can use a third party library See tutorial online
</> EXPRESS: CUSTOM DATA VALIDATION MIDDLEWARE app.post('/documents/find', validate, (req, res) => ...); const validate = function (req, res, next) { const body = req.body; if (body.desiredType && !(typeof body.desiredType==='string')){ return next(new Error('title must be a string')); } next(); }; 1 2 3 4 5 6 7
</> EXPRESS: USING JOI AND CELEBRATE TO VALIDATE DATA app.post('/documents/find', validate, (req, res) => ...); const validate = Celebrate({ body: Joi.object.keys({ desiredType: Joi.string().optional() }) }); 1 2 3 4 5
THANKS FOR YOUR ATTENTION ! Contact me at vladimir@sqreen.io

Recommended

Security Challenges in Node.js
Security Challenges in Node.jsSecurity Challenges in Node.js
Security Challenges in Node.js
Websecurify
 
Hack tutorial
Hack tutorialHack tutorial
Hack tutorial
Wakana Yoshizawa
 
お題でGroovyプログラミング: Part A
お題でGroovyプログラミング: Part Aお題でGroovyプログラミング: Part A
お題でGroovyプログラミング: Part A
Kazuchika Sekiya
 
Postman On Steroids
Postman On SteroidsPostman On Steroids
Postman On Steroids
Sara Tornincasa
 
Decoupling Objects With Standard Interfaces
Decoupling Objects With Standard InterfacesDecoupling Objects With Standard Interfaces
Decoupling Objects With Standard Interfaces
Thomas Weinert
 
Asynchronous I/O in PHP
Asynchronous I/O in PHPAsynchronous I/O in PHP
Asynchronous I/O in PHP
Thomas Weinert
 
Bootstrap
BootstrapBootstrap
Bootstrap
NexThoughts Technologies
 
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-
Tsuyoshi Yamamoto
 

Recommended

Security Challenges in Node.js
Security Challenges in Node.jsSecurity Challenges in Node.js
Security Challenges in Node.js
Websecurify
 
Hack tutorial
Hack tutorialHack tutorial
Hack tutorial
Wakana Yoshizawa
 
お題でGroovyプログラミング: Part A
お題でGroovyプログラミング: Part Aお題でGroovyプログラミング: Part A
お題でGroovyプログラミング: Part A
Kazuchika Sekiya
 
Postman On Steroids
Postman On SteroidsPostman On Steroids
Postman On Steroids
Sara Tornincasa
 
Decoupling Objects With Standard Interfaces
Decoupling Objects With Standard InterfacesDecoupling Objects With Standard Interfaces
Decoupling Objects With Standard Interfaces
Thomas Weinert
 
Asynchronous I/O in PHP
Asynchronous I/O in PHPAsynchronous I/O in PHP
Asynchronous I/O in PHP
Thomas Weinert
 
Bootstrap
BootstrapBootstrap
Bootstrap
NexThoughts Technologies
 
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-
Tsuyoshi Yamamoto
 
Ruby on Rails Intro
Ruby on Rails IntroRuby on Rails Intro
Ruby on Rails Intro
zhang tao
 
Javascript - Beyond-jQuery
Javascript - Beyond-jQueryJavascript - Beyond-jQuery
Javascript - Beyond-jQuery
Tanner Moushey ❖ Mission Lab - WordPress Agency
 
Net/http and the http.handler interface
Net/http and the http.handler interfaceNet/http and the http.handler interface
Net/http and the http.handler interface
Joakim Gustin
 
React for Beginners
React for BeginnersReact for Beginners
React for Beginners
Derek Willian Stavis
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHP
Wim Godden
 
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Arian Gutierrez
 
AngularJS - $http & $resource Services
AngularJS - $http & $resource ServicesAngularJS - $http & $resource Services
AngularJS - $http & $resource Services
Eyal Vardi
 
Avoiding callback hell in Node js using promises
Avoiding callback hell in Node js using promisesAvoiding callback hell in Node js using promises
Avoiding callback hell in Node js using promises
Ankit Agarwal
 
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
Tsuyoshi Yamamoto
 
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
Tsuyoshi Yamamoto
 
Reactive Programming Patterns with RxSwift
Reactive Programming Patterns with RxSwiftReactive Programming Patterns with RxSwift
Reactive Programming Patterns with RxSwift
Florent Pillet
 
New in MongoDB 2.6
New in MongoDB 2.6New in MongoDB 2.6
New in MongoDB 2.6
christkv
 
Hd insight programming
Hd insight programmingHd insight programming
Hd insight programming
Casear Chu
 
Talk KVO with rac by Philippe Converset
Talk KVO with rac by Philippe ConversetTalk KVO with rac by Philippe Converset
Talk KVO with rac by Philippe Converset
CocoaHeads France
 
JavaScript Promise
JavaScript PromiseJavaScript Promise
JavaScript Promise
Joseph Chiang
 
Javascript Continues Integration in Jenkins with AngularJS
Javascript Continues Integration in Jenkins with AngularJSJavascript Continues Integration in Jenkins with AngularJS
Javascript Continues Integration in Jenkins with AngularJS
Ladislav Prskavec
 
Introduccion a Jasmin
Introduccion a JasminIntroduccion a Jasmin
Introduccion a Jasmin
Rodrigo Quelca Sirpa
 
Finch.io - Purely Functional REST API with Finagle
Finch.io - Purely Functional REST API with FinagleFinch.io - Purely Functional REST API with Finagle
Finch.io - Purely Functional REST API with Finagle
Vladimir Kostyukov
 
JavaScript OOP Pattern
JavaScript OOP PatternJavaScript OOP Pattern
JavaScript OOP Pattern
지수 윤
 
RSpec
RSpecRSpec
RSpec
Marco Otte-Witte
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON
 
Rest api code completion for javascript - dotjs 2015
Rest api code completion for javascript - dotjs 2015Rest api code completion for javascript - dotjs 2015
Rest api code completion for javascript - dotjs 2015
johannes_fiala
 

More Related Content

What's hot

Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Arian Gutierrez
 
Hd insight programming
Hd insight programmingHd insight programming
Hd insight programming
Casear Chu
 
Javascript Continues Integration in Jenkins with AngularJS
Javascript Continues Integration in Jenkins with AngularJSJavascript Continues Integration in Jenkins with AngularJS
Javascript Continues Integration in Jenkins with AngularJS
Ladislav Prskavec
 

What's hot (20)

Ruby on Rails Intro
Ruby on Rails IntroRuby on Rails Intro
Ruby on Rails Intro
 
Javascript - Beyond-jQuery
Javascript - Beyond-jQueryJavascript - Beyond-jQuery
Javascript - Beyond-jQuery
 
Net/http and the http.handler interface
Net/http and the http.handler interfaceNet/http and the http.handler interface
Net/http and the http.handler interface
 
React for Beginners
React for BeginnersReact for Beginners
React for Beginners
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHP
 
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
 
AngularJS - $http & $resource Services
AngularJS - $http & $resource ServicesAngularJS - $http & $resource Services
AngularJS - $http & $resource Services
 
Avoiding callback hell in Node js using promises
Avoiding callback hell in Node js using promisesAvoiding callback hell in Node js using promises
Avoiding callback hell in Node js using promises
 
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
 
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
 
Reactive Programming Patterns with RxSwift
Reactive Programming Patterns with RxSwiftReactive Programming Patterns with RxSwift
Reactive Programming Patterns with RxSwift
 
New in MongoDB 2.6
New in MongoDB 2.6New in MongoDB 2.6
New in MongoDB 2.6
 
Hd insight programming
Hd insight programmingHd insight programming
Hd insight programming
 
Talk KVO with rac by Philippe Converset
Talk KVO with rac by Philippe ConversetTalk KVO with rac by Philippe Converset
Talk KVO with rac by Philippe Converset
 
JavaScript Promise
JavaScript PromiseJavaScript Promise
JavaScript Promise
 
Javascript Continues Integration in Jenkins with AngularJS
Javascript Continues Integration in Jenkins with AngularJSJavascript Continues Integration in Jenkins with AngularJS
Javascript Continues Integration in Jenkins with AngularJS
 
Introduccion a Jasmin
Introduccion a JasminIntroduccion a Jasmin
Introduccion a Jasmin
 
Finch.io - Purely Functional REST API with Finagle
Finch.io - Purely Functional REST API with FinagleFinch.io - Purely Functional REST API with Finagle
Finch.io - Purely Functional REST API with Finagle
 
JavaScript OOP Pattern
JavaScript OOP PatternJavaScript OOP Pattern
JavaScript OOP Pattern
 
RSpec
RSpecRSpec
RSpec
 

Viewers also liked

Query mechanisms for NoSQL databases
Query mechanisms for NoSQL databasesQuery mechanisms for NoSQL databases
Query mechanisms for NoSQL databases
ArangoDB Database
 

Viewers also liked (6)

44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
 
Rest api code completion for javascript - dotjs 2015
Rest api code completion for javascript - dotjs 2015Rest api code completion for javascript - dotjs 2015
Rest api code completion for javascript - dotjs 2015
 
DotJS Lightning Talk Vorlon.js
DotJS Lightning Talk Vorlon.jsDotJS Lightning Talk Vorlon.js
DotJS Lightning Talk Vorlon.js
 
dotJS 2015
dotJS 2015dotJS 2015
dotJS 2015
 
Pug - a compiler pipeline
Pug - a compiler pipelinePug - a compiler pipeline
Pug - a compiler pipeline
 
Query mechanisms for NoSQL databases
Query mechanisms for NoSQL databasesQuery mechanisms for NoSQL databases
Query mechanisms for NoSQL databases
 

Similar to NoSQL Injections in Node.js - The case of MongoDB

Testdrevet javautvikling på objektorienterte skinner
Testdrevet javautvikling på objektorienterte skinnerTestdrevet javautvikling på objektorienterte skinner
Testdrevet javautvikling på objektorienterte skinner
Truls Jørgensen
 
DIY Percolator
DIY PercolatorDIY Percolator
DIY Percolator
jdhok
 

Similar to NoSQL Injections in Node.js - The case of MongoDB (20)

Node js mongodriver
Node js mongodriverNode js mongodriver
Node js mongodriver
 
Developing web-apps like it's 2013
Developing web-apps like it's 2013Developing web-apps like it's 2013
Developing web-apps like it's 2013
 
Mongoskin - Guilin
Mongoskin - GuilinMongoskin - Guilin
Mongoskin - Guilin
 
Testdrevet javautvikling på objektorienterte skinner
Testdrevet javautvikling på objektorienterte skinnerTestdrevet javautvikling på objektorienterte skinner
Testdrevet javautvikling på objektorienterte skinner
 
Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Finding the right stuff, an intro to Elasticsearch (at Rug::B) Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Finding the right stuff, an intro to Elasticsearch (at Rug::B)
 
Применение паттерна Page Object для автоматизации веб сервисов - новый взгляд
Применение паттерна Page Object для автоматизации веб сервисов - новый взглядПрименение паттерна Page Object для автоматизации веб сервисов - новый взгляд
Применение паттерна Page Object для автоматизации веб сервисов - новый взгляд
 
Reduxing like a pro
Reduxing like a proReduxing like a pro
Reduxing like a pro
 
Implementing CQRS and Event Sourcing with RavenDB
Implementing CQRS and Event Sourcing with RavenDBImplementing CQRS and Event Sourcing with RavenDB
Implementing CQRS and Event Sourcing with RavenDB
 
async/await in Swift
async/await in Swiftasync/await in Swift
async/await in Swift
 
java script
java scriptjava script
java script
 
Elasticsearch and Symfony Integration - Debarko De
Elasticsearch and Symfony Integration - Debarko DeElasticsearch and Symfony Integration - Debarko De
Elasticsearch and Symfony Integration - Debarko De
 
[2019-07] GraphQL in depth (serverside)
[2019-07] GraphQL in depth (serverside)[2019-07] GraphQL in depth (serverside)
[2019-07] GraphQL in depth (serverside)
 
Jersey
JerseyJersey
Jersey
 
DIY Percolator
DIY PercolatorDIY Percolator
DIY Percolator
 
Nodejs do teste de unidade ao de integração
Nodejs do teste de unidade ao de integraçãoNodejs do teste de unidade ao de integração
Nodejs do teste de unidade ao de integração
 
Spray Json and MongoDB Queries: Insights and Simple Tricks.
Spray Json and MongoDB Queries: Insights and Simple Tricks.Spray Json and MongoDB Queries: Insights and Simple Tricks.
Spray Json and MongoDB Queries: Insights and Simple Tricks.
 
RESTful API 제대로 만들기
RESTful API 제대로 만들기RESTful API 제대로 만들기
RESTful API 제대로 만들기
 
Writing RESTful web services using Node.js
Writing RESTful web services using Node.jsWriting RESTful web services using Node.js
Writing RESTful web services using Node.js
 
Modern Networking with Swish
Modern Networking with SwishModern Networking with Swish
Modern Networking with Swish
 
Background Tasks in Node - Evan Tahler, TaskRabbit
Background Tasks in Node - Evan Tahler, TaskRabbitBackground Tasks in Node - Evan Tahler, TaskRabbit
Background Tasks in Node - Evan Tahler, TaskRabbit
 

More from Sqreen

Ruby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous IntegrationRuby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous Integration
Sqreen
 

More from Sqreen (8)

Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scale
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
Writing a Python C extension
Writing a Python C extensionWriting a Python C extension
Writing a Python C extension
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing
 
Ruby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous IntegrationRuby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous Integration
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

NoSQL Injections in Node.js - The case of MongoDB

  • 1. NoSQL INJECTIONS IN NODE.JS The case of MongoDB Vladimir de Turckheim 5 DEC 2016
  • 2. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
  • 3. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
  • 4. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: ‘blog’ } { type: ‘blog’ } All documents which field ‘type’ equals ‘blog’
  • 5. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: } { type: }
  • 6. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: }
  • 7. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } }
  • 8. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } } All documents which field ‘type’ does not equal 0
  • 9. WAIT, THERE IS WORST { $where:’this.amount > 0’ }
  • 10. In MongoDB < 2.4, it is possible to perform all operations on a database from an injection (including dropDatabase).
  • 11. VALIDATE WHAT GETS INSIDE YOUR APPLICATION hapi on a route, use config.validate express add a data validation middleware It can be a custom one It can use a third party library See tutorial online
  • 12. </> EXPRESS: CUSTOM DATA VALIDATION MIDDLEWARE app.post('/documents/find', validate, (req, res) => ...); const validate = function (req, res, next) { const body = req.body; if (body.desiredType && !(typeof body.desiredType==='string')){ return next(new Error('title must be a string')); } next(); }; 1 2 3 4 5 6 7
  • 13. </> EXPRESS: USING JOI AND CELEBRATE TO VALIDATE DATA app.post('/documents/find', validate, (req, res) => ...); const validate = Celebrate({ body: Joi.object.keys({ desiredType: Joi.string().optional() }) }); 1 2 3 4 5
  • 14. THANKS FOR YOUR ATTENTION ! Contact me at vladimir@sqreen.io