API - No SQL Injection

 







"abc123" != "0"  Hence the statement is turn to TRUE executeable.

MongoDB accepts operator objects ($ne) inside queries.

The Core Reason:

MongoDB allows special operator objects such as:

  • $ne (not equal) 

  • $gt, $lt

  • $regex

  • $or

  • $in

 Vulnerable Code (because user input is passed directly)

// ❌ VULNERABLE
app.post("/login", async (req, res) => {
    const user = await db.collection("users").findOne({
        name: req.body.name,
        password: req.body.password
    });

    if (user) res.send("Logged in!");
    else res.send("Invalid credentials");
});

Why this is vulnerable

Because MongoDB allows operators like:

{ "$ne": "0" }
{ "$gt": "" }
{ "$regex": ".*" }
{ "$or": [...] }
{ "$in": [...] }

1. If the attacker sends JSON instead of a string:

{
  "name": "jeremy",
  "password": { "$ne": "" }
}


This returns the user even when the attacker does not know the password.

 2. Example with $gt / $lt

{
  "name": "john",
  "age": { "$gt": 0 }
}

This matches any user with age > 0.

3. Example with $regex

Attacker sends:

{ "name": { "$regex": ".*" } }

This matches every user, bypassing intended filtering.

 4. Example with $or

Attacker sends:

{
  "name": "admin",
  "role": { "$or": [ {}, { "$ne": "" } ] }
}

5. Example with $in

Attacker sends:

{
  "category": { "$in": ["electronics", "clothing", "*"] }
}

Root cause of all vulnerable queries

All of these vulnerabilities happen because:

User input is inserted directly into MongoDB query objects.

MongoDB interprets special operator keys like $ne, $gt, $lt, $regex, $or, $in, etc. If a user can send objects, they can inject new logic.


Mitigation:

Validate and sanitize (clean and remove dangerous parts of user input)

NEVER pass raw user input directly into MongoDB queries

Use schema validation libraries






Burp Suite - Intruder
















Comments

Post a Comment

Popular posts from this blog

Burp Suite – Automated Vulnerabilities Findings

Image
  Burp Suite – Automated Vulnerabilities Findings Step 1:  Intercept with burp suite, which contains parameter values. Step 2: Forward the request to the Intruder option in Burp Suite. Step 3:  Set up the automated scan by right-clicking, selecting "Scan Defined Insertion Points" and opening the "Scan launcher". Step 4:  Wait until the scan is finished, and then check for the results with vulnerabilities. Step 5: Manual Validation
Read more

SQL Injection Attacks | Shahul Hameed

Image
Lab 1:   SQL injection UNION attack, determining the number of columns returned by the query Introduction      This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.      To solve the lab, determine the number of columns returned by the query by performing an  SQL injection UNION  attack that returns an additional row containing null values. Solutions: Use Burp Suite to intercept and modify the request that sets the product category filter. Modify the  category  parameter, giving it the value  '+UNION+SELECT+NULL-- . Observe that an error occurs. Modify the  ...
Read more

To use emulator(Using NOX emulator): Open Appie Application | Shahul Hameed

Image
To use emulator(Using NOX emulator): Open Appie Application Tools Requirements 1. Appie tool 2. Burp certificate 3. Frida Server Step 1: $ cd C:\Appie\bin\adt\sdk\platform-tools Step 4 – 6 One time steps we have to do for new devices or emulator. Step 2: $ .\adb.exe connect 127.0.0.1:62001 Step 3: $ adb devices Step 4: $ adb push fridasslandroot.js / data/local/tmp Step 5: $ adb shell chmod 777 / data /local/tmp/frida-server Step 6: $ adb push cacert.der /data/local/tmp/cert-der.crt Step 7: Run frida server $ adb shell /data/local/tmp/frida-server & Step 8: Open new tab in APPIE and execute below command: Finally you are unpinned and execute application in rooted mobile. $ frida -U -f <Your-Package-Name> -l C:\Appie\bin\adt\sdk\platform-tools\fridasslandroot.js --no-paus $ frida -U -f com.test.demo -l C:\Appie\bin\adt\sdk\platform-tools\fridasslandroot.js --no-paus
Read more