Regarding security aspect in MongoDB

142 views
Skip to first unread message

Manoj P T

unread,
Dec 18, 2014, 11:25:01 PM12/18/14
to mongod...@googlegroups.com
Hello,

I had few questions regarding security aspect in MongoDB.

1) Is it not at possible for query injection attacks in MongoDB when using with Java driver ?? 
    How it is possible when using Javascript??
2) Are there any other Security threats in MongoDB ??

Please help me out. Please give me some useful links.

Thanking you

s.molinari

unread,
Dec 19, 2014, 1:59:42 AM12/19/14
to mongod...@googlegroups.com
Hi Manoj,

I am guessing at this, as my knowledge is limited too, but for 1) the difference is Java is a strictly typed language and Javascript is a loosely typed language. In other words, if you define a string variable for user input in Java and you try to assign an object to that variable, you'd get an error. With JS, you could be looking to assign a string to the variable and get an object and JS would happily continue to process that input. It is why the golden rule is "Always sanitize user input!".

The link below has an explanation of what I mean, sort of, using PHP as an example, as PHP is a loosely typed scripting language similar to JS.


The person who answers also explains why it is harder to inject querying language into Mongo than with SQL databases.

For 2) back to the golden rule, if you properly sanitize user input, you shouldn't have any issues with MongoDB (or with any other database for that matter).

Scott

Sam Millman

unread,
Dec 19, 2014, 3:07:59 AM12/19/14
to mongod...@googlegroups.com
That SO question is so wrong is actually funny to see how upvoted it is.

MongoDB can suffer from operator injection. I cannot find that in the security docs for some reason: http://docs.mongodb.org/manual/core/security/ however, the problem is very real.

If you have a user who has the ability to inject operators via client passed variables (using $) then you could have a misbehaving query.

It is advised to escape values that start with a $.

The second question is an broad one and depends on your setup.

--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: http://www.mongodb.org/about/support/.
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user...@googlegroups.com.
To post to this group, send email to mongod...@googlegroups.com.
Visit this group at http://groups.google.com/group/mongodb-user.
 To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/2a571dc6-958e-4bff-a0b2-f610d98e54c7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

s.molinari

unread,
Dec 19, 2014, 3:32:50 AM12/19/14
to mongod...@googlegroups.com
I'd say the SO question is quite good. The O'reilly book saying Mongo avoids SQL injection is what is wrong. Or rather, it is right, if you are only talking about RDBMS SQL injection. Of course that could never work. LOL!

Scott

Derick Rethans

unread,
Dec 19, 2014, 8:20:36 AM12/19/14
to mongod...@googlegroups.com
On Fri, 19 Dec 2014, Sam Millman wrote:

> That SO question is so wrong is actually funny to see how upvoted it is.
>
> MongoDB can suffer from operator injection. I cannot find that in the
> security docs for some reason: http://docs.mongodb.org/manual/core/security/
> however, the problem is very real.

The drivers sometimes have it documented. For the PHP one, it's at
http://docs.php.net/manual/en/mongo.security.php

cheers,
Derick
--
{
website: [ "http://mongodb.org", "http://derickrethans.nl" ],
twitter: [ "@derickr", "@mongodb" ]
}

Sam Millman

unread,
Dec 19, 2014, 8:52:59 AM12/19/14
to mongod...@googlegroups.com
For SO to say that it avoids injection because of lack of parsing is a incorrect view, it is now and was in 2011.

As good PHP doc documents it

Manoj P T

unread,
Dec 19, 2014, 11:52:46 PM12/19/14
to mongod...@googlegroups.com
For example, 
Case #1: if suppose all the user entered data is accepting as a String data type.

                        BasicDBObject query = new BasicDBObject( "EMAILID" , "userEnteredValue" );

                        DBCursor cursor = collection.find(query);


How about in this case? Is query injection still possible ?


Case #2: Suppose if we are using $where in our BasicDBObject, there is a chance of query injection (since we can write JavaScript functions).


                        String userEnteredValue = "function() { return this._id; } ";           

                        BasicDBObject query = new BasicDBObject( "$where"userEnteredValue );

                        DBCursor cursor = collection.find(query);


In this case query injection is possible.

Is my understanding correct??


Please correct me understanding this concept....


Thanking you



Carl Sun

unread,
Aug 14, 2016, 8:09:17 AM8/14/16
to mongodb-user
Of course, php array injection, js injection, mongoDB shell injection are all for mongoDB
And most important thing is there are thousands of exposed mongoDB on the internet, you can download the data for exposed mongoDB
https://github.com/youngyangyang04/NoSQLAttack This is my project for attack mongoDB, welcome to talk about it with me
Reply all
Reply to author
Forward
0 new messages