NoSQL Injection
It is common for a modern MEAN Stack to use NoSQL (non-relational) databases to store user data. NoSQL Injection is a vulnerability which allows an attacker to modify the NoSQL queries that an application makes to its NoSQL database via user input. This could be abused to view, modify, or delete application data which wasn't previously possible, or causing persistent changes to the application's content or behaviour.
Within DVWS, a public Notes area exist, it is possible for any user of the application to search for notes that are public using this area.
When conducting this search, the HTTP request sent to the API is as follows.
POST /api/v2/notesearch HTTP/1.1
Host: dvws.local
Content-Length: 36
Accept: application/json, text/plain, */*
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZm9vYmFyIiwicGVybWlzc2lvbnMiOlsidXNlcjpyZWFkIiwidXNlcjp3cml0ZSJdLCJpYXQiOjE1OTE0NDgzNzIsImV4cCI6MTU5MTYyMTE3MiwiaXNzIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nub29weXNlY3VyaXR5In0.kNt8Ii58BflkixwYYnZaGEStbMCgB4g6rlbpuOTeJ2s
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4164.0 Safari/537.36 autochrome/red
Content-Type: application/json;charset=UTF-8
Origin: http://dvws.local
Referer: http://dvws.local/search.html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
{"search":"foobarsnote"}
It is possible to modify the search parameter due to user input being taken directly from the search parameter to build a NoSQL query by the API. This can be used to fetch all notes stored by the API.
