search

InfoTrackGlobal / juice-shop

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
https://owasp-juice.shop
MIT License
0 stars 0 forks source link

Fix NoSQL Injection Vulnerability in Wallet Route #5

Open nullify-infotrack[bot] opened 3 months ago

nullify-infotrack[bot] commented 3 months ago

This pull request addresses a high-severity NoSQL injection vulnerability identified in the wallet route of the Juice Shop application. The issue, identified by the ID 01HTES3V4Z69ZFDY9R8GJRDF9V, occurs due to untrusted user input being used directly within the findOne() function, which interacts with the MongoDB database. This could potentially allow an attacker to inject malicious NoSQL queries, leading to unauthorized data access or manipulation.

To remediate this vulnerability, we have implemented input validation and sanitization checks to ensure that only properly formatted data is passed to the database query. This prevents the possibility of injection attacks while maintaining the functionality of the application.

The changes include:

By applying these fixes, we enhance the security of the Juice Shop application and protect it against NoSQL injection attacks.

WillCohenInfotrack commented 3 months ago

/nullify give me a payload that would exploit this existing problem

nullify-infotrack[bot] commented 3 months ago

The existing problem this code change is addressing is type confusion vulnerability. The application does not correctly validate or sanitize the inputs 'paymentId' and 'UserId' while querying the CardModel. As such, a malicious user could pass a non-numeric value for the 'paymentId' or 'UserId' to trigger an unexpected behavior/code path, possibly leading to a broader attack like SQL Injection.

For example, consider the following payload:

{ "paymentId": "1 UNION SELECT * FROM user;", "UserId": "1 UNION SELECT password FROM user;" }

In the above input, the payload contains SQL Injection attacks. After being inserted into the server-side query, they might expose sensitive data from the 'user' table. With the implementation of sanitization (conversion into a 'Number') in this pull request, such injection attacks would be prevented.