Identification of NoSQL Injection Vulnerabilities in MongoDB based Web Applications

Abstract

The Internet has come a long way from the first working prototype, which was developed in the 1960s. From static web pages to visually appealing animated websites, the Internet continues to attract more and more users, and websites are creating, gathering, and storing data. Modern web applications deal with a wide array of semi-structured data. Relational databases were not meant to handle data like this. Therefore, NoSQL was introduced to accommodate the persistence of these types of data. NoSQL databases offer more scalable and superior performance over relational databases and offer advantages such as dynamic schemas, auto-sharding, replication, and integrated caching. Also, NoSQL databases provide the ability to scale horizontally, support multiple data structures. It also allows automatically handling data replication and failover. MongoDB is one of the most popular document-based databases and has an active user base community. MongoDB is used mainly for storing unstructured data and is used by popular websites like twitter. However, MongoDB has several security vulnerabilities, and they need to be investigated and exposed to develop a secure application. That is, detecting vulnerabilities using manual penetration testing takes time and expertise and can be error-prone due to the human factor. To overcome this, there are automated vulnerability scanners to identify SQLi vulnerabilities for applications that use relational databases such as Veracode, WhiteHat, and Owasp Zap. However, most of these tools do not support detection on NoSQL injection or have loopholes in identifying NoSQLi Vulnerabilities. Therefore, detecting vulnerabilities for NoSQL databases is an emerging topic, and since more and more web applications are drifting towards using MongoDB databases, it is a topic worth investigating. This research identifies how a web application that uses MongoDB can be penetrated using NoSQLi Injection and attempts to automate the process of identifying NoSQLi vulnerabilities.