SlideShare a Scribd company logo

NoSQL Injections in Node.js - The case of MongoDB

Sqreen
Sqreen

NoSQL Injections in Node.js - The case of MongoDB

Technology
1 of 14
Download to read offline
NoSQL INJECTIONS IN NODE.JS The case of MongoDB Vladimir de Turckheim 5 DEC 2016
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: ‘blog’ } { type: ‘blog’ } All documents which field ‘type’ equals ‘blog’
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: } { type: }
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: }
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } }
</> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } } All documents which field ‘type’ does not equal 0
WAIT, THERE IS WORST { $where:’this.amount > 0’ }
In MongoDB < 2.4, it is possible to perform all operations on a database from an injection (including dropDatabase).
VALIDATE WHAT GETS INSIDE YOUR APPLICATION hapi on a route, use config.validate express add a data validation middleware It can be a custom one It can use a third party library See tutorial online
</> EXPRESS: CUSTOM DATA VALIDATION MIDDLEWARE app.post('/documents/find', validate, (req, res) => ...); const validate = function (req, res, next) { const body = req.body; if (body.desiredType && !(typeof body.desiredType==='string')){ return next(new Error('title must be a string')); } next(); }; 1 2 3 4 5 6 7
</> EXPRESS: USING JOI AND CELEBRATE TO VALIDATE DATA app.post('/documents/find', validate, (req, res) => ...); const validate = Celebrate({ body: Joi.object.keys({ desiredType: Joi.string().optional() }) }); 1 2 3 4 5
THANKS FOR YOUR ATTENTION ! Contact me at vladimir@sqreen.io

Recommended

Security Challenges in Node.js
Security Challenges in Node.jsSecurity Challenges in Node.js
Security Challenges in Node.jsWebsecurify
 
Hack tutorial
Hack tutorialHack tutorial
Hack tutorialWakana Yoshizawa
 
お題でGroovyプログラミング: Part A
お題でGroovyプログラミング: Part Aお題でGroovyプログラミング: Part A
お題でGroovyプログラミング: Part AKazuchika Sekiya
 
Postman On Steroids
Postman On SteroidsPostman On Steroids
Postman On SteroidsSara Tornincasa
 
Decoupling Objects With Standard Interfaces
Decoupling Objects With Standard InterfacesDecoupling Objects With Standard Interfaces
Decoupling Objects With Standard InterfacesThomas Weinert
 
Asynchronous I/O in PHP
Asynchronous I/O in PHPAsynchronous I/O in PHP
Asynchronous I/O in PHPThomas Weinert
 
Bootstrap
BootstrapBootstrap
BootstrapNexThoughts Technologies
 
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-Tsuyoshi Yamamoto
 

Recommended

Security Challenges in Node.js
Security Challenges in Node.jsSecurity Challenges in Node.js
Security Challenges in Node.jsWebsecurify
 
Hack tutorial
Hack tutorialHack tutorial
Hack tutorialWakana Yoshizawa
 
お題でGroovyプログラミング: Part A
お題でGroovyプログラミング: Part Aお題でGroovyプログラミング: Part A
お題でGroovyプログラミング: Part AKazuchika Sekiya
 
Postman On Steroids
Postman On SteroidsPostman On Steroids
Postman On SteroidsSara Tornincasa
 
Decoupling Objects With Standard Interfaces
Decoupling Objects With Standard InterfacesDecoupling Objects With Standard Interfaces
Decoupling Objects With Standard InterfacesThomas Weinert
 
Asynchronous I/O in PHP
Asynchronous I/O in PHPAsynchronous I/O in PHP
Asynchronous I/O in PHPThomas Weinert
 
Bootstrap
BootstrapBootstrap
BootstrapNexThoughts Technologies
 
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-
Grails 1.2 探検隊 -新たな聖杯をもとめて・・・-Tsuyoshi Yamamoto
 
Ruby on Rails Intro
Ruby on Rails IntroRuby on Rails Intro
Ruby on Rails Introzhang tao
 
Javascript - Beyond-jQuery
Javascript - Beyond-jQueryJavascript - Beyond-jQuery
Javascript - Beyond-jQueryTanner Moushey ❖ Mission Lab - WordPress Agency
 
Net/http and the http.handler interface
Net/http and the http.handler interfaceNet/http and the http.handler interface
Net/http and the http.handler interfaceJoakim Gustin
 
React for Beginners
React for BeginnersReact for Beginners
React for BeginnersDerek Willian Stavis
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHPWim Godden
 
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v Arian Gutierrez
 
AngularJS - $http & $resource Services
AngularJS - $http & $resource ServicesAngularJS - $http & $resource Services
AngularJS - $http & $resource ServicesEyal Vardi
 
Avoiding callback hell in Node js using promises
Avoiding callback hell in Node js using promisesAvoiding callback hell in Node js using promises
Avoiding callback hell in Node js using promisesAnkit Agarwal
 
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」Tsuyoshi Yamamoto
 
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
第4回 g* ワークショップ はじめてみよう! GrailsプラグインTsuyoshi Yamamoto
 
Reactive Programming Patterns with RxSwift
Reactive Programming Patterns with RxSwiftReactive Programming Patterns with RxSwift
Reactive Programming Patterns with RxSwiftFlorent Pillet
 
New in MongoDB 2.6
New in MongoDB 2.6New in MongoDB 2.6
New in MongoDB 2.6christkv
 
Hd insight programming
Hd insight programmingHd insight programming
Hd insight programmingCasear Chu
 
Talk KVO with rac by Philippe Converset
Talk KVO with rac by Philippe ConversetTalk KVO with rac by Philippe Converset
Talk KVO with rac by Philippe ConversetCocoaHeads France
 
JavaScript Promise
JavaScript PromiseJavaScript Promise
JavaScript PromiseJoseph Chiang
 
Javascript Continues Integration in Jenkins with AngularJS
Javascript Continues Integration in Jenkins with AngularJSJavascript Continues Integration in Jenkins with AngularJS
Javascript Continues Integration in Jenkins with AngularJSLadislav Prskavec
 
Introduccion a Jasmin
Introduccion a JasminIntroduccion a Jasmin
Introduccion a JasminRodrigo Quelca Sirpa
 
Finch.io - Purely Functional REST API with Finagle
Finch.io - Purely Functional REST API with FinagleFinch.io - Purely Functional REST API with Finagle
Finch.io - Purely Functional REST API with FinagleVladimir Kostyukov
 
JavaScript OOP Pattern
JavaScript OOP PatternJavaScript OOP Pattern
JavaScript OOP Pattern지수 윤
 
RSpec
RSpecRSpec
RSpecMarco Otte-Witte
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON
 
Rest api code completion for javascript - dotjs 2015
Rest api code completion for javascript - dotjs 2015Rest api code completion for javascript - dotjs 2015
Rest api code completion for javascript - dotjs 2015johannes_fiala
 

More Related Content

What's hot

Ruby on Rails Intro
Ruby on Rails IntroRuby on Rails Intro
Ruby on Rails Introzhang tao
 
Net/http and the http.handler interface
Net/http and the http.handler interfaceNet/http and the http.handler interface
Net/http and the http.handler interfaceJoakim Gustin
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHPWim Godden
 
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v Arian Gutierrez
 
AngularJS - $http & $resource Services
AngularJS - $http & $resource ServicesAngularJS - $http & $resource Services
AngularJS - $http & $resource ServicesEyal Vardi
 
Avoiding callback hell in Node js using promises
Avoiding callback hell in Node js using promisesAvoiding callback hell in Node js using promises
Avoiding callback hell in Node js using promisesAnkit Agarwal
 
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」Tsuyoshi Yamamoto
 
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
第4回 g* ワークショップ はじめてみよう! GrailsプラグインTsuyoshi Yamamoto
 
Reactive Programming Patterns with RxSwift
Reactive Programming Patterns with RxSwiftReactive Programming Patterns with RxSwift
Reactive Programming Patterns with RxSwiftFlorent Pillet
 
New in MongoDB 2.6
New in MongoDB 2.6New in MongoDB 2.6
New in MongoDB 2.6christkv
 
Hd insight programming
Hd insight programmingHd insight programming
Hd insight programmingCasear Chu
 
Talk KVO with rac by Philippe Converset
Talk KVO with rac by Philippe ConversetTalk KVO with rac by Philippe Converset
Talk KVO with rac by Philippe ConversetCocoaHeads France
 
Javascript Continues Integration in Jenkins with AngularJS
Javascript Continues Integration in Jenkins with AngularJSJavascript Continues Integration in Jenkins with AngularJS
Javascript Continues Integration in Jenkins with AngularJSLadislav Prskavec
 
Finch.io - Purely Functional REST API with Finagle
Finch.io - Purely Functional REST API with FinagleFinch.io - Purely Functional REST API with Finagle
Finch.io - Purely Functional REST API with FinagleVladimir Kostyukov
 
JavaScript OOP Pattern
JavaScript OOP PatternJavaScript OOP Pattern
JavaScript OOP Pattern지수 윤
 

What's hot (20)

Ruby on Rails Intro
Ruby on Rails IntroRuby on Rails Intro
Ruby on Rails Intro
 
Javascript - Beyond-jQuery
Javascript - Beyond-jQueryJavascript - Beyond-jQuery
Javascript - Beyond-jQuery
 
Net/http and the http.handler interface
Net/http and the http.handler interfaceNet/http and the http.handler interface
Net/http and the http.handler interface
 
React for Beginners
React for BeginnersReact for Beginners
React for Beginners
 
The promise of asynchronous PHP
The promise of asynchronous PHPThe promise of asynchronous PHP
The promise of asynchronous PHP
 
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
 
AngularJS - $http & $resource Services
AngularJS - $http & $resource ServicesAngularJS - $http & $resource Services
AngularJS - $http & $resource Services
 
Avoiding callback hell in Node js using promises
Avoiding callback hell in Node js using promisesAvoiding callback hell in Node js using promises
Avoiding callback hell in Node js using promises
 
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
第3回Grails/Groovy勉強会名古屋「Grails名古屋座談会」
 
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
第4回 g* ワークショップ はじめてみよう! Grailsプラグイン
 
Reactive Programming Patterns with RxSwift
Reactive Programming Patterns with RxSwiftReactive Programming Patterns with RxSwift
Reactive Programming Patterns with RxSwift
 
New in MongoDB 2.6
New in MongoDB 2.6New in MongoDB 2.6
New in MongoDB 2.6
 
Hd insight programming
Hd insight programmingHd insight programming
Hd insight programming
 
Talk KVO with rac by Philippe Converset
Talk KVO with rac by Philippe ConversetTalk KVO with rac by Philippe Converset
Talk KVO with rac by Philippe Converset
 
JavaScript Promise
JavaScript PromiseJavaScript Promise
JavaScript Promise
 
Javascript Continues Integration in Jenkins with AngularJS
Javascript Continues Integration in Jenkins with AngularJSJavascript Continues Integration in Jenkins with AngularJS
Javascript Continues Integration in Jenkins with AngularJS
 
Introduccion a Jasmin
Introduccion a JasminIntroduccion a Jasmin
Introduccion a Jasmin
 
Finch.io - Purely Functional REST API with Finagle
Finch.io - Purely Functional REST API with FinagleFinch.io - Purely Functional REST API with Finagle
Finch.io - Purely Functional REST API with Finagle
 
JavaScript OOP Pattern
JavaScript OOP PatternJavaScript OOP Pattern
JavaScript OOP Pattern
 
RSpec
RSpecRSpec
RSpec
 

Viewers also liked

44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON
 
Rest api code completion for javascript - dotjs 2015
Rest api code completion for javascript - dotjs 2015Rest api code completion for javascript - dotjs 2015
Rest api code completion for javascript - dotjs 2015johannes_fiala
 
DotJS Lightning Talk Vorlon.js
DotJS Lightning Talk Vorlon.jsDotJS Lightning Talk Vorlon.js
DotJS Lightning Talk Vorlon.jsEtienne Margraff
 
Pug - a compiler pipeline
Pug - a compiler pipelinePug - a compiler pipeline
Pug - a compiler pipelineForbes Lindesay
 
Query mechanisms for NoSQL databases
Query mechanisms for NoSQL databasesQuery mechanisms for NoSQL databases
Query mechanisms for NoSQL databasesArangoDB Database
 

Viewers also liked (6)

44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
 
Rest api code completion for javascript - dotjs 2015
Rest api code completion for javascript - dotjs 2015Rest api code completion for javascript - dotjs 2015
Rest api code completion for javascript - dotjs 2015
 
DotJS Lightning Talk Vorlon.js
DotJS Lightning Talk Vorlon.jsDotJS Lightning Talk Vorlon.js
DotJS Lightning Talk Vorlon.js
 
dotJS 2015
dotJS 2015dotJS 2015
dotJS 2015
 
Pug - a compiler pipeline
Pug - a compiler pipelinePug - a compiler pipeline
Pug - a compiler pipeline
 
Query mechanisms for NoSQL databases
Query mechanisms for NoSQL databasesQuery mechanisms for NoSQL databases
Query mechanisms for NoSQL databases
 

Similar to NoSQL Injections in Node.js - The case of MongoDB

Node js mongodriver
Node js mongodriverNode js mongodriver
Node js mongodriverchristkv
 
Developing web-apps like it's 2013
Developing web-apps like it's 2013Developing web-apps like it's 2013
Developing web-apps like it's 2013Laurent_VB
 
Mongoskin - Guilin
Mongoskin - GuilinMongoskin - Guilin
Mongoskin - GuilinJackson Tian
 
Testdrevet javautvikling på objektorienterte skinner
Testdrevet javautvikling på objektorienterte skinnerTestdrevet javautvikling på objektorienterte skinner
Testdrevet javautvikling på objektorienterte skinnerTruls Jørgensen
 
Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Finding the right stuff, an intro to Elasticsearch (at Rug::B) Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Finding the right stuff, an intro to Elasticsearch (at Rug::B) Michael Reinsch
 
Применение паттерна Page Object для автоматизации веб сервисов - новый взгляд
Применение паттерна Page Object для автоматизации веб сервисов - новый взглядПрименение паттерна Page Object для автоматизации веб сервисов - новый взгляд
Применение паттерна Page Object для автоматизации веб сервисов - новый взглядCOMAQA.BY
 
Implementing CQRS and Event Sourcing with RavenDB
Implementing CQRS and Event Sourcing with RavenDBImplementing CQRS and Event Sourcing with RavenDB
Implementing CQRS and Event Sourcing with RavenDBOren Eini
 
async/await in Swift
async/await in Swiftasync/await in Swift
async/await in SwiftPeter Friese
 
Elasticsearch and Symfony Integration - Debarko De
Elasticsearch and Symfony Integration - Debarko DeElasticsearch and Symfony Integration - Debarko De
Elasticsearch and Symfony Integration - Debarko DeDebarko De
 
[2019-07] GraphQL in depth (serverside)
[2019-07] GraphQL in depth (serverside)[2019-07] GraphQL in depth (serverside)
[2019-07] GraphQL in depth (serverside)croquiscom
 
DIY Percolator
DIY PercolatorDIY Percolator
DIY Percolatorjdhok
 
Nodejs do teste de unidade ao de integração
Nodejs do teste de unidade ao de integraçãoNodejs do teste de unidade ao de integração
Nodejs do teste de unidade ao de integraçãoVinícius Pretto da Silva
 
Spray Json and MongoDB Queries: Insights and Simple Tricks.
Spray Json and MongoDB Queries: Insights and Simple Tricks.Spray Json and MongoDB Queries: Insights and Simple Tricks.
Spray Json and MongoDB Queries: Insights and Simple Tricks.Andrii Lashchenko
 
RESTful API 제대로 만들기
RESTful API 제대로 만들기RESTful API 제대로 만들기
RESTful API 제대로 만들기Juwon Kim
 
Writing RESTful web services using Node.js
Writing RESTful web services using Node.jsWriting RESTful web services using Node.js
Writing RESTful web services using Node.jsFDConf
 
Modern Networking with Swish
Modern Networking with SwishModern Networking with Swish
Modern Networking with Swishjakecraige
 
Background Tasks in Node - Evan Tahler, TaskRabbit
Background Tasks in Node - Evan Tahler, TaskRabbitBackground Tasks in Node - Evan Tahler, TaskRabbit
Background Tasks in Node - Evan Tahler, TaskRabbitRedis Labs
 

Similar to NoSQL Injections in Node.js - The case of MongoDB (20)

Node js mongodriver
Node js mongodriverNode js mongodriver
Node js mongodriver
 
Developing web-apps like it's 2013
Developing web-apps like it's 2013Developing web-apps like it's 2013
Developing web-apps like it's 2013
 
Mongoskin - Guilin
Mongoskin - GuilinMongoskin - Guilin
Mongoskin - Guilin
 
Testdrevet javautvikling på objektorienterte skinner
Testdrevet javautvikling på objektorienterte skinnerTestdrevet javautvikling på objektorienterte skinner
Testdrevet javautvikling på objektorienterte skinner
 
Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Finding the right stuff, an intro to Elasticsearch (at Rug::B) Finding the right stuff, an intro to Elasticsearch (at Rug::B)
Finding the right stuff, an intro to Elasticsearch (at Rug::B)
 
Применение паттерна Page Object для автоматизации веб сервисов - новый взгляд
Применение паттерна Page Object для автоматизации веб сервисов - новый взглядПрименение паттерна Page Object для автоматизации веб сервисов - новый взгляд
Применение паттерна Page Object для автоматизации веб сервисов - новый взгляд
 
Reduxing like a pro
Reduxing like a proReduxing like a pro
Reduxing like a pro
 
Implementing CQRS and Event Sourcing with RavenDB
Implementing CQRS and Event Sourcing with RavenDBImplementing CQRS and Event Sourcing with RavenDB
Implementing CQRS and Event Sourcing with RavenDB
 
async/await in Swift
async/await in Swiftasync/await in Swift
async/await in Swift
 
java script
java scriptjava script
java script
 
Elasticsearch and Symfony Integration - Debarko De
Elasticsearch and Symfony Integration - Debarko DeElasticsearch and Symfony Integration - Debarko De
Elasticsearch and Symfony Integration - Debarko De
 
[2019-07] GraphQL in depth (serverside)
[2019-07] GraphQL in depth (serverside)[2019-07] GraphQL in depth (serverside)
[2019-07] GraphQL in depth (serverside)
 
Jersey
JerseyJersey
Jersey
 
DIY Percolator
DIY PercolatorDIY Percolator
DIY Percolator
 
Nodejs do teste de unidade ao de integração
Nodejs do teste de unidade ao de integraçãoNodejs do teste de unidade ao de integração
Nodejs do teste de unidade ao de integração
 
Spray Json and MongoDB Queries: Insights and Simple Tricks.
Spray Json and MongoDB Queries: Insights and Simple Tricks.Spray Json and MongoDB Queries: Insights and Simple Tricks.
Spray Json and MongoDB Queries: Insights and Simple Tricks.
 
RESTful API 제대로 만들기
RESTful API 제대로 만들기RESTful API 제대로 만들기
RESTful API 제대로 만들기
 
Writing RESTful web services using Node.js
Writing RESTful web services using Node.jsWriting RESTful web services using Node.js
Writing RESTful web services using Node.js
 
Modern Networking with Swish
Modern Networking with SwishModern Networking with Swish
Modern Networking with Swish
 
Background Tasks in Node - Evan Tahler, TaskRabbit
Background Tasks in Node - Evan Tahler, TaskRabbitBackground Tasks in Node - Evan Tahler, TaskRabbit
Background Tasks in Node - Evan Tahler, TaskRabbit
 

More from Sqreen

Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scaleSqreen
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
Writing a Python C extension
Writing a Python C extensionWriting a Python C extension
Writing a Python C extensionSqreen
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASPSqreen
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Sqreen
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Sqreen
 
Ruby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous IntegrationRuby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous IntegrationSqreen
 

More from Sqreen (8)

Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scale
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
Writing a Python C extension
Writing a Python C extensionWriting a Python C extension
Writing a Python C extension
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing
 
Ruby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous IntegrationRuby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous Integration
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 

NoSQL Injections in Node.js - The case of MongoDB

  • 1. NoSQL INJECTIONS IN NODE.JS The case of MongoDB Vladimir de Turckheim 5 DEC 2016
  • 2. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
  • 3. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6
  • 4. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: ‘blog’ } { type: ‘blog’ } All documents which field ‘type’ equals ‘blog’
  • 5. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: } { type: }
  • 6. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: }
  • 7. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } }
  • 8. </> IN PRACTICEapp.post(‘/documents/find’, (req, res) => { const query = { }; if (req.body.desiredType) query.type = req.body.desiredType; if (!query.type) return res.json([ ]); Document.find(query).exec() .then((r) => res.json(r)); 1 2 3 4 5 6 req.body query outcome { desiredType: { $ne: 0 } } { type: { $ne: 0 } } All documents which field ‘type’ does not equal 0
  • 9. WAIT, THERE IS WORST { $where:’this.amount > 0’ }
  • 10. In MongoDB < 2.4, it is possible to perform all operations on a database from an injection (including dropDatabase).
  • 11. VALIDATE WHAT GETS INSIDE YOUR APPLICATION hapi on a route, use config.validate express add a data validation middleware It can be a custom one It can use a third party library See tutorial online
  • 12. </> EXPRESS: CUSTOM DATA VALIDATION MIDDLEWARE app.post('/documents/find', validate, (req, res) => ...); const validate = function (req, res, next) { const body = req.body; if (body.desiredType && !(typeof body.desiredType==='string')){ return next(new Error('title must be a string')); } next(); }; 1 2 3 4 5 6 7
  • 13. </> EXPRESS: USING JOI AND CELEBRATE TO VALIDATE DATA app.post('/documents/find', validate, (req, res) => ...); const validate = Celebrate({ body: Joi.object.keys({ desiredType: Joi.string().optional() }) }); 1 2 3 4 5
  • 14. THANKS FOR YOUR ATTENTION ! Contact me at vladimir@sqreen.io