CCT APP Written - Deck C Flashcards
What DB type is MongoDB
Document Oriented
What language are the documents in MongoDB stored
BSON (Binary JSON)
What is the reserved primary key is MongoDB
_id
What does a JSON NoSQL Injection look like
{“username”: { “$regex”: “.*”} }
What is an In-Band NoSQL Injection
When the attacker can use the same channel of communication to exploit a NoSQL Injection and receive the result
What is a Blind NoSQL Injection
Where the attacker does not receive the results from the NoSQL Injection but they infer the results based on how the server responds
What are the two sub-types of Blind NoSQL Injection
Boolean and Time-Based
What is a Boolean based NoSQL Injection
Where the attacker forces the server to evaluate a query and return one result or the other if it is true or false
What is a Time-based NoSQL Injection
Where the attacker makes the server wait for a specific amount of time before responding, usually indicating if the query is true or false
What is the format we use if the query is using URL encoded or x-www-form-urlencoded
Instead of JSON we use param[$regex]=val
What are some of the common NoSQL query operators
ne (not equal). Regex. Gt/Gte/Lt/Lte (Greater/Less than(equal to))
What is a simple auth bypass using NoSQL injection
username[$regex]=.&password[$regex]=.
Example of an NoSQL injection if we know the username
username=admin@mail.com&password[$ne]=invalid
What is the character we can use for $lt and $lte and why
We can use the tilde (~) as it is the largest ASCII character
How can we perform Blind Data Extraction using NoSQL
username[$ne]=^.* will be true. username[$ne]=^z.* will be false. username[$ne]=^A.* will be true.
What is SSJI
SSJI occurs when a $where query is used on the backend
What does SSJI stand for
Server Side JavaScript Injection
How can we exploit SSJI in NoSQL injection
Query: $where: ‘this.username === “<username>". We can make the username " || sleep(5000) || ""=="</username>