[Security] NOSQL-injection

June 27, 2010 - 22:00 UTC - Tags: sql-injection ql-injection NOSQL NOSQL-injection As described by Wikipedia, NOSQL is a movement promoting a loosely defined class of non-relational data stores that break with a long history of relational databases. These types of databases are quickly gaining popularity in the Web2.0 world, including sites like Facebook and Digg.

As you might imagine from the name, having no SQL, means having no SQL injection. But does that make them completely secure for use, or can similar injection attacks be performed against applications using these kinds of databases?

MongoDB

I'll use MongoDB as the target of this blog post. MongoDB is a document-storage database, storing the documents as JSON BSON. MongoDB features a rich set of possibilites for querying the database. The query language is also JSON BSON, but also supports expressing it as JSON(updated 2010-07-06). As you can imagine this could open for JSON-injection.

Consider this query:db.foo.find( { $or : [ { a : 1 } , { b : 2 } ] } )If the number 2 in the query above was coming from concatenation of string input, we might get the following injection:db.foo.find( { $or : [ { a : 1 } , { b : 2 }, { c : /.*/ } ] } )

MongoDB also allows you to query by javascript expressions like this:db.myCollection.find( { $where: "this.a > 3" } );Again I can imagine bad things happening, if parts of what's in the javascript expression, comes from input.

There are good news though. This query interface really seems to encourage building language supported, fluent APIs. The .NET implementation called mongodb-net, has a syntax like this: coll.FindOne(Where.Field(a => a == 1)); As we can see the query language is mirrored in C#, and if implemented properly, this encourages the developers using the API to use a syntax where you don't have to think about mixed contexts (control characters etc.). Given that the database driver is correctly implemented, this should help developers implement this in a secure way. Another implementation called mongodb-sharp supports Linq, which in many ways does the same thing.

Other types of NoSQL databases

There are loads of other NOSQL databases, like Couchdb, Cassandra and Neo4j. I'll probably have a look at some more of these in future blog posts, but in general I guess you could say that if there is a query language, it's usually possible to perform an injection attack (QL-injection - Query Language injection) in one way or another.

Just in case someone gets the wrong idea, these security flaws would be flaws in the application generating the query - not in the NOSQL database engine. Same thing holds for regular SQL injection.

Update 2011-03-09

NoSQL-injection in php when using MongoDB

Permalink |

July 6, 2010 - 21:14 UTC

Mathias Stearn

Mongo queries aren't JSON strings, although we do provide an interface to convert from JSON to a mongo object (BSON). Since the usual way to build a query object is something like queryObj.append("b", 2) it is *impossible* for that 2 to cause an injection, even if it is a string, not a number. Please see this page on our wiki: http://www.mongodb.org/display/DOCS/Do+I+Have+to+Worry+About+SQL+Injection

July 6, 2010 - 22:20 UTC

Erlend

@Mathias Stearn: Thanks for the comment. I guess I was a bit confused by this page (http://www.mongodb.org/display/DOCS/Mongo+Extended+JSON). As long as you are using safe APIs like the one you describe, you are safe. I wrote a new blog post about that today incidentally: http://erlend.oftedal.no/blog/?blogid=111

July 6, 2010 - 22:22 UTC

Erlend

@Mathias Stearn: I also updated this post accordingly.

July 19, 2010 - 04:53 UTC

Kuon

Hi,

Nice article.

I did the similar job :)

http://www.hitcon.org/hit2010/download/8_NoSQL_No_Injection.pdf

July 25, 2010 - 22:22 UTC

Erlend

@Kuon: Thanks - very interesting

Comments closed for this post

About Erlend

Security guy with some thoughts on secure development.

Follow me on twitter