BIPI
BIPI

NoSQL Injection: MongoDB, Couchbase, Redis Operator Abuse

Cybersecurity

NoSQL injection is alive and well in 2023. We cover MongoDB operator abuse, JavaScript injection via $where, Couchbase N1QL tricks, and Redis command injection through Lua and module attack surface.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 17, 2023 · 10 min read

#nosql#mongodb#redis#couchbase#injection

Operator injection in MongoDB

Apps that build queries from JSON without strict typing accept attacker controlled operators. A login payload that should send username and password as strings becomes one with password set to a $ne object, and the password check trivially passes. The vector is form parsers that allow arrays or objects where the developer expected strings.

Operator cheat sheet

  • $ne, not equal, bypasses equality checks
  • $gt and $lt, range checks, useful for blind extraction one character at a time
  • $regex, classic pattern match, leak passwords with /^a/, /^ab/, /^abc/ probes
  • $where, full JavaScript eval, leads to denial of service or info disclosure

JavaScript injection via where

Older Mongo deployments allow $where: 'this.password.match(/^a/)'. Injection here is JavaScript, you can call sleep loops to confirm blind injection, and on misconfigured servers reach scope objects.

Couchbase N1QL

N1QL looks like SQL and inherits SQL injection patterns. ' OR 1=1 -- works in string contexts. Use the UNION operator to pull data from other buckets if the app role has cross bucket access. Couchbase eventing functions evaluated as JavaScript add a second tier of risk.

Redis command injection

Redis is not queried like SQL, but apps that build raw RESP frames or pass user strings to EVAL Lua scripts create injection. If you can inject a newline plus CONFIG SET dir followed by SAVE, you can write web shells to disk. The Webmin and several CMS plugin RCEs follow this pattern.

Tooling

NoSQLMap automates Mongo and Couch attacks. Wapiti has a NoSQL module. For Redis, redis-cli combined with the app proxy is enough. Burp Intruder with operator wordlists is the workhorse for blind extraction.

Blind extraction example

  1. Confirm vulnerability with password set to $ne empty string authenticating
  2. Pivot to extraction with username set to $regex anchored at single characters
  3. Measure boolean response, found or not found
  4. Iterate character by character until the hash is reconstructed

Detection

  • Mongo logs showing repeated $regex queries with single character anchors
  • Spike in 401 followed by 200 on the same username, classic operator bypass signal
  • EVAL commands from app users in Redis MONITOR output

Remediation

  1. Coerce all user input to string before query construction, never pass objects directly
  2. Disable $where and JavaScript evaluation in Mongo production config
  3. Use parameter binding in N1QL and parameterized Lua scripts in Redis
  4. Apply least privilege at the database role, no schema or admin operations from app accounts
~38%
Apps allowing JSON typed inputs without validation
6m
Median blind extraction time for an 8 char hash
If your password field can be an object, your auth check is a suggestion.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.