2022-09-01 17:51:40 +02:00
|
|
|
=== What is the potential impact?
|
|
|
|
|
|
|
|
|
|
In the context of a web application that is vulnerable to NoSQL injection: +
|
|
|
|
|
After discovering the injection point, attackers insert data into the vulnerable
|
|
|
|
|
field to execute malicious commands in the affected databases.
|
|
|
|
|
|
2022-09-13 16:27:19 +02:00
|
|
|
Below are some real-world scenarios that illustrate some impacts of an attacker
|
|
|
|
|
exploiting the vulnerability.
|
2022-09-01 17:51:40 +02:00
|
|
|
|
|
|
|
|
==== Identity spoofing and data leakage
|
|
|
|
|
|
|
|
|
|
In the context of simple query logic breakouts, a malicious database query
|
|
|
|
|
enables privilege escalation or direct data leakage from one or more databases. +
|
|
|
|
|
This threat is the most widespread impact.
|
|
|
|
|
|
|
|
|
|
==== Data deletion and denial of service
|
|
|
|
|
|
|
|
|
|
The malicious query makes it possible for the attacker to delete data in the
|
|
|
|
|
affected databases. +
|
|
|
|
|
This threat is particularly insidious if the attacked organization does not
|
|
|
|
|
maintain a disaster recovery plan (DRP) as missing data can disrupt the regular
|
|
|
|
|
operations of an organization.
|
|
|
|
|
|
|
|
|
|
==== Chaining NoSQL injections with other vulnerabilities
|
|
|
|
|
|
|
|
|
|
Attackers who exploit NoSQL injections rely on other vulnerabilities to maximize
|
|
|
|
|
their profits. +
|
|
|
|
|
Most of the time, organizations overlook some defense in depth measures because
|
|
|
|
|
they assume attackers cannot reach certain points in the infrastructure. This
|
|
|
|
|
misbehavior can lead to multiple attacks with great impact:
|
|
|
|
|
|
|
|
|
|
* When secrets are stored unencrypted in databases: Secrets can be exfiltrated and lead to compromise of other components.
|
|
|
|
|
* If server-side OS and/or database permissions are misconfigured, injection can lead to remote code execution (RCE).
|
