Title: NoSQL_Injection Vulnerability on PUT:/api/v1/savings-transaction
Project: Sanity 7th July
Description: The SQL Injection exploit allows an attacker to read/modify database records via API endpoint calls.
Assertion
Name: NoSQL Injection ( 1 )
Overview: SQL Injection is an Attack. It is executed by insertion or “Injection” of either partial or complete SQL query via query parameters, request body parameters, path parameters and passed to the application server/database.
NoSQL databases are vulnerable to similar attacks like that of SQL. API endpoints allow much bigger surface area then exposed by the web/mobile forms, resulting in performing much deeper and comprehensive attacks by injecting across all resource properties, query-params, path-params, & headers.
Injection flaws, such as SQL, NoSQL, Command Injection, etc. occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Severity: SQL Injection is classified under the category of “Injection Attacks” by OWASP. “Injection Attacks” is consistently rated at Top 1 Category of Attack by OWASP in years 2010, 2013 and 2017 ( 2 ). SQL Injection is rated top 1 in the CWE / SANS Top 25 ( 3 ) ( 4 ).
Vulnerability Impact: A Successful SQL Injection attack
Can read sensitive data from the database
Can modify the database data thru Insert / Update / Delete statements
Can execute administrative operations on the database
Can recover the content of the given file existing on the database
Can write files into the file system
Can issue commands to the operating System
Exploitation: A successful SQL Injection attack is possible when the attacker crafts a syntactically Correct SQL Query. If an error is thrown back by the API by incorrect query, it will become much easier for the attacker to reconstruct the logic of the original query. If error is hidden, the attacker may have to reverse engineer for an exploitation. It might happen because of the following
User supplied data is NOT validated, filtered or sanitized by the application
Dynamic queries or non-parameterized calls without context-aware escaping
Remediation: A successful SQL Injection attack may possibly be avoided by Secure Coding Practices as outlined by OWASP SQL injection Prevention Cheat Sheet ( 5 ). The following are some of the techniques for remediating SQL Injection attacks.
Title: NoSQL_Injection Vulnerability on PUT:/api/v1/savings-transaction Project: Sanity 7th July Description: The SQL Injection exploit allows an attacker to read/modify database records via API endpoint calls.
Assertion Name: NoSQL Injection ( 1 )
Overview: SQL Injection is an Attack. It is executed by insertion or “Injection” of either partial or complete SQL query via query parameters, request body parameters, path parameters and passed to the application server/database.
NoSQL databases are vulnerable to similar attacks like that of SQL. API endpoints allow much bigger surface area then exposed by the web/mobile forms, resulting in performing much deeper and comprehensive attacks by injecting across all resource properties, query-params, path-params, & headers.
Injection flaws, such as SQL, NoSQL, Command Injection, etc. occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Severity: SQL Injection is classified under the category of “Injection Attacks” by OWASP. “Injection Attacks” is consistently rated at Top 1 Category of Attack by OWASP in years 2010, 2013 and 2017 ( 2 ). SQL Injection is rated top 1 in the CWE / SANS Top 25 ( 3 ) ( 4 ).
Vulnerability Impact: A Successful SQL Injection attack
- Can read sensitive data from the database
- Can modify the database data thru Insert / Update / Delete statements
- Can execute administrative operations on the database
- Can recover the content of the given file existing on the database
- Can write files into the file system
- Can issue commands to the operating System
Exploitation: A successful SQL Injection attack is possible when the attacker crafts a syntactically Correct SQL Query. If an error is thrown back by the API by incorrect query, it will become much easier for the attacker to reconstruct the logic of the original query. If error is hidden, the attacker may have to reverse engineer for an exploitation. It might happen because of the following- User supplied data is NOT validated, filtered or sanitized by the application
- Dynamic queries or non-parameterized calls without context-aware escaping
Remediation: A successful SQL Injection attack may possibly be avoided by Secure Coding Practices as outlined by OWASP SQL injection Prevention Cheat Sheet ( 5 ). The following are some of the techniques for remediating SQL Injection attacks.- Use of Prepared Statements
- Use of Stored Procedures
- White list input validation
- Escaping all user supplied input
- Enforcing Least Privilege
References:Risk: NoSQL_Injection Severity: Critical API Endpoint: http://95.217.118.53:8080/api/v1/savings-transaction Environment: Master Playbook: ApiV1SavingsTransactionPutBodyParamNoSqlInjectionTimebound Researcher: [apisec Bot]
QUICK TIPS
Suggestion: Avoid dynamic queries or use gateways/filters. Effort Estimate: 3.0 Hrs Wire Logs:
IMPORTANT LINKS
Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/dashboard/8a8094e27bce7d6d017be1c6218f3584/details
Project: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/allScans
Environment: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/environments/8a8093567a8012b6017a803bf3181500/edit
Scan Dashboard: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/profiles/8a8093567a8012b6017a803c070d16cb/runs/8a8094e27bce7d6d017be1c0ae8030e8
Playbook: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/playbooks/ApiV1SavingsTransactionPutBodyParamNoSqlInjectionTimebound
Coverage: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/categories
Code Sample: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/dashboard/8a8094e27bce7d6d017be1c6218f3584/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---