NoSQL, nodejs, express, MongoDB: Injection

[andresriancho]

Contributor wanted

This issue is easy and looking for a contributor, just add a comment saying you'll do it's yours!

Not sure where to start from? Take a look at our First steps as a contributor and Contributing 101 wiki pages.

Other interesting tasks which can be completed by new w3af contributors can be found here.

User story

As a developer I'm creating new applications using nodejs, express and mongodb. I would like w3af to be able to identify vulnerabilities in my app.

Conditions of satisfaction

• [ ] A new plugin is created to detect these vulnerabilities
• [ ] The new plugin is manually tested against the test web application(s) provided in the link below
• [ ] The new plugin has a unittest which verifies that the right payloads are sent. This unittest doesn't need to run against a real system. It should run against our HTTP mock (see find . -name '*.py' | xargs grep MOCK_RESPONSES)
• [ ] The new plugin is generic (doesn't only work for login pages)
• [ ] The new plugin algorithm focuses on reducing false positives

  References

• http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
• https://github.com/Arachni/arachni/blob/master/components/checks/active/no_sql_injection_differential.rb
• https://github.com/Arachni/arachni/blob/4d26e3fec6fa015481eb70c0082bee8da1fa4576/components/checks/active/no_sql_injection.rb
• https://github.com/vulndb/data/blob/40c6b6f765a705f1d5baf0fd423ceeca8a74cda9/db/33-nosql-injection.json

[inkz]

@andresriancho i want to try this one! should i make pull request when whole task is done or i can move step by step?

[andresriancho]

@inkz sounds good! Go ahead and work on it. Please, as a first step, explain what you plan to do in the ticket and we'll start from there. Example of what I expect: "I'll write a new ... plugin which will send requests with payloads ... and analyze output using .... Then, if the output is ... I'll ..."

[inkz]

@andresriancho read all the references and found out which payloads to use, but i dont understand how to analyze response, because it can differ in terms of current application

[inkz]

@andresriancho this is how i see it:

1. I'll create new plugin
2. this plugin will send requests with payloads: ', ", ;, {, }
3. and search for error messages in response (like { "$err" : "SyntaxError: Unexpected token ILLEGAL", "code" : 16722 })
4. if there are any - we found vulnerability

[andresriancho]

1. Which type of plugin?
2. Will those payloads detect >80% of nosql vulnerability cases? Do we need to add more? Maybe use a different technique like "blind nosql injection detection"?
3. Which nosql databases will be supported by the plugin? Will English be the only supported language for error messages?
4. What happens if w3af is scanning a forum where developers post error messages? Please see sqli.py to find out how to prevent these false positives

I'm asking all these questions to make sure we have everything ready before starting, we're aware of the plugin limitations and potential issues. I don't expect the plugin to detect 100% of nosql injections, but at least we should know which ones will NOT be detected.

Please do answer the questions I made in this comment and go ahead with the plugin coding :+1:

[inkz]

@andresriancho 1.Audit plugin

2. ok i will improve my technic with blind no sql detection
3. well i thought only about Mongo, but i will try others, i can add different languages (at least Russian :))
4. done:)