Enhancement: Comprehensive NoSQL Injection Module (Levels 1-6)#537
Enhancement: Comprehensive NoSQL Injection Module (Levels 1-6)#537MohammedGhallab wants to merge 21 commits intoSasanLabs:masterfrom
Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #537 +/- ##
============================================
- Coverage 49.33% 48.79% -0.54%
- Complexity 346 398 +52
============================================
Files 56 66 +10
Lines 2090 2439 +349
Branches 225 255 +30
============================================
+ Hits 1031 1190 +159
- Misses 978 1152 +174
- Partials 81 97 +16 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| import org.sasanlabs.internal.utility.LevelConstants; | ||
| import org.sasanlabs.internal.utility.Variant; | ||
| import org.sasanlabs.internal.utility.annotations.AttackVector; | ||
| import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping; |
There was a problem hiding this comment.
please remove sample vulnerability related classes and files. there are js files as well.
| false); | ||
| } | ||
|
|
||
| // Level 11: Maximum protection using Content-based validation (MIME Type) |
There was a problem hiding this comment.
I apologize for not clarifying earlier. The reason is that Level 10 is secure but remains vulnerable to file content spoofing. For instance, if a text file's extension is renamed to an image format, the server accepts it immediately. To address this, I’ve introduced Level 11, which implements deep file content inspection to ensure the server isn't deceived by misleading extensions.
| org.sasanlabs.service.vulnerability.nosql.User.class)) { | ||
| mongoTemplate.dropCollection(org.sasanlabs.service.vulnerability.nosql.User.class); | ||
| } | ||
| mongoTemplate.save( |
There was a problem hiding this comment.
is there a way to jsut use application.properties to set up mongo instead of hardcoded passwords etc in configuration file?
There was a problem hiding this comment.
Yes, absolutely. I agree that hardcoding credentials is not ideal. I can move the MongoDB configuration to the application.properties file and use Spring Boot's @value annotation or ConfigurationProperties to inject them into the configuration class. This will make the setup more secure and flexible. I will update the PR with these changes shortly.
There was a problem hiding this comment.
can we make mongodb ephemeral i.e. inmemory database like H2 db?
There was a problem hiding this comment.
@MohammedGhallab I can still see passwords part of code instead of config.
| Object data, boolean isValid) { | ||
| try { | ||
| String content = | ||
| (data instanceof String) |
There was a problem hiding this comment.
I would suggest for not using ternary operator, please use If..Else
There was a problem hiding this comment.
I appreciate the suggestion. I will replace the ternary operator with a standard if..else block to improve code readability as requested. I will push the update shortly.
| HEADER_INJECTION_VULNERABILITY=It tests how a JWT header can be manipulated to alter the signature verification. No newline at end of file | ||
| HEADER_INJECTION_VULNERABILITY=It tests how a JWT header can be manipulated to alter the signature verification. | ||
|
|
||
| NOSQL_INJECTION_VULNERABILITY=No Injection vulnrabilty No newline at end of file |
There was a problem hiding this comment.
can you write payloads for each level?
There was a problem hiding this comment.
Sure! Here are the payloads for each level to demonstrate the NoSQL Injection vulnerabilities:
Level 1 (String Concatenation): admin" , "password": {"$ne": "1"}
Level 2 (Direct Object Injection): {"$gt": ""}
Level 3 (Blind NoSQL Injection): admin" , "username": {"$regex": "^a.*"}
Level 4 (Logical Operator Injection): {"$ne": null}
Level 5 (Aggregation Pipeline Injection): admin" } },{"$lookup": {"from": "user","pipeline": [],"as":"all_users"}},{ "$unwind": "$all_users" },{ "$replaceRoot": { "newRoot": "$all_users" } } ]
Level 6 (Secure): No payload, as it is protected using parameterized queries.
I will add these examples to the code comments or documentation as well.
There was a problem hiding this comment.
Not in the comment, i meant that attackvector annotation has payload field which can contain the description i.e. way to exploit a vulnerability. you can add these payloads in descritpion and that way it works as hint
| // Payload: { "$ne": null } | ||
| @AttackVector( | ||
| vulnerabilityExposed = VulnerabilityType.NOSQL_INJECTION, | ||
| description = "NOSQL_INJECTION_VULNERABILITY") |
There was a problem hiding this comment.
Attack vector annotation populates hints oin the UI Page. Please ensure that attack vection anotation description is really good.
There was a problem hiding this comment.
Good point. I will update the @AttackVector descriptions to be more educational and descriptive, so users can better understand the specific NoSQL Injection vector for each level when viewing it on the UI. Thanks for the heads-up!
| import org.springframework.web.bind.annotation.RequestParam; | ||
|
|
||
| @VulnerableAppRestController( | ||
| descriptionLabel = "NOSQL_INJECTION_VULNERABILITY", |
There was a problem hiding this comment.
This description label is shwon in UI when we click on the Vulnerability. Please ensure adding a really great depth details with references to external sources,
There was a problem hiding this comment.
Good point. I will update the @AttackVector descriptions to be more educational and descriptive, so users can better understand the specific NoSQL Injection vector for each level when viewing it on the UI. Thanks for the heads-up!
| private final ObjectMapper objectMapper; | ||
|
|
||
| @Autowired | ||
| public NoSQLInjectionVulnerability(MongoTemplate mongoTemplate) { |
There was a problem hiding this comment.
is this dependency bean resolving for you? It is failing in my local.
There was a problem hiding this comment.
It was working in my environment, but I see the issue. Since ObjectMapper is marked as final, it must be initialized in the constructor. I will update the constructor to include ObjectMapper so Spring can resolve and inject the bean correctly. Alternatively, I can define it as a @bean in the configuration class if it's missing from the context. I'll fix this in the next commit.
| org.sasanlabs.service.vulnerability.nosql.User.class)) { | ||
| mongoTemplate.dropCollection(org.sasanlabs.service.vulnerability.nosql.User.class); | ||
| } | ||
| mongoTemplate.save( |
There was a problem hiding this comment.
can we make mongodb ephemeral i.e. inmemory database like H2 db?
| false); | ||
| } | ||
|
|
||
| // Level 11: Maximum protection using Content-based validation (MIME Type) |
| HEADER_INJECTION_VULNERABILITY=It tests how a JWT header can be manipulated to alter the signature verification. No newline at end of file | ||
| HEADER_INJECTION_VULNERABILITY=It tests how a JWT header can be manipulated to alter the signature verification. | ||
|
|
||
| NOSQL_INJECTION_VULNERABILITY=No Injection vulnrabilty No newline at end of file |
There was a problem hiding this comment.
Not in the comment, i meant that attackvector annotation has payload field which can contain the description i.e. way to exploit a vulnerability. you can add these payloads in descritpion and that way it works as hint
| @@ -0,0 +1,35 @@ | |||
| package org.sasanlabs.service.vulnerability.sampleVulnerability; | |||
There was a problem hiding this comment.
I deleted it and just uploaded the new changes.
| const config = { | ||
| "1": { title: "Level 1: String Breakout", goal: "Bypass authentication via string concatenation.", hint: "Try: <code>admin\" , \"password\": {\"$ne\": \"1\"}</code>" }, | ||
| "2": { title: "Level 2: Object Injection", goal: "Direct injection into the query without quotes.", hint: "Try: <code>{\"$gt\": \"\"}</code>" }, | ||
| "3": { title: "Level 3: Blind Injection", goal: "Infer data from server responses (True/False).", hint: "Try Regex for guessing: <code>admin\" , \"username\": {\"$regex\": \"^a.*\"}</code>" }, |
There was a problem hiding this comment.
hint is populated automatically form attack vector annotation. it is not needed here.
There was a problem hiding this comment.
Okay, I'll work on resolving the new issues.
|
|
||
| const url = `/VulnerableApp/NoSQLInjection/LEVEL_${level}?username=${encodeURIComponent(userInput)}`; | ||
|
|
||
| fetch(url) |
There was a problem hiding this comment.
There is already a method to do api call that hides all this. use mehtod called doGetAjaxCall and doPostAjaxCall
My suggestion is look at other vulnerabiulity js files to find out how we have done there.
|
|
||
| document.addEventListener("DOMContentLoaded", updateLevelContent); | ||
|
|
||
| setTimeout(updateLevelContent, 1000); No newline at end of file |
There was a problem hiding this comment.
I would suggest not doing all this and let framework load right html file and if there is something dynamic, check how it is done in other levels,
| try { | ||
| String pipelineJson = "[ { \"$match\": { \"username\": \"" + user + " } ]"; | ||
|
|
||
| System.out.println("Full Pipeline Query: " + pipelineJson); |
There was a problem hiding this comment.
please dont use println. you can use logger class. Look at other levels to see the usage of logger.
|
|
||
| // 3. Check file size (Optional security measure to prevent Denial of Service - | ||
| // DoS). | ||
| if (file.getSize() > 5 * 1024 * 1024) { // 5MB limit |
There was a problem hiding this comment.
I think ddos is already handled by Spring boot. there is one property in spring boot application.properties file that does this.
| String detectedType = tika.detect(file.getInputStream()); | ||
|
|
||
| // Define a whitelist of allowed MIME types. | ||
| List<String> allowedMimeTypes = Arrays.asList("image/jpeg", "image/png", "image/gif"); |
There was a problem hiding this comment.
I think we have constants defined for them. please use them or if constants are not there, please declare string constants
There was a problem hiding this comment.
Can you please check this?
|
@preetkaran20 Please review and accept the pull request if there are no issues. |
preetkaran20
left a comment
preetkaran20
left a comment
There was a problem hiding this comment.
@MohammedGhallab I can still see a lot of comments are not yet resolved. can you please check if they are fixed?
Ok |
… support and configuration
The review, auditing, and error correction were completed. |
4 participants
🚀 Enhancement: Comprehensive NoSQL Injection Module (Levels 1-6)
📝 Description
This Pull Request introduces a robust set of learning levels for the NoSQL Injection module. The goal is to guide users through the evolution of NoSQL vulnerabilities in MongoDB, starting from basic string-based injections to advanced Aggregation Pipeline breakouts and finally demonstrating the secure implementation.
🛠️ Key Levels Implemented
$ne,$gt, etc.Document.parse☣️ Proof of Concept (PoC) for Level 5
To demonstrate the vulnerability in the new Aggregation level:
NoSQLInjection/LEVEL_5admin" } },{"$lookup": {"from": "user","pipeline": [],"as":"all_users"}},{ "$unwind": "$all_users" },{ "$replaceRoot": { "newRoot": "$all_users" } } ]