0

I am using C# Mongodb driver to insert / update data in Mongodb. I have scanned my web api through "Qualys" and this was getting inserted in one my field called "createdOn" and I have provided sample data below.

1. Central Pacific Standard Time + (SELECT 0 FROM (SELECT
2. SLEEP(29))qsqli_1111) Central Pacific Standard Time',0,0);WAITFOR
3. DELAY'00:00:29'- |ping -c2 -i91 localhost|

Could you please me help to sort out of this issue.

Aravinth
  • 11
  • 5
  • I'm not familiar with `Qualys`, but I know that `SELECT 0 FROM ###` has nothing common with Mongo – dododo Jul 29 '20 at 18:02
  • Please let me know, is it possible to prevent such type of data injection? – Aravinth Jul 30 '20 at 05:23
  • Still i am facing issue with SQL injection, please anybody help me out this issue. – Aravinth Aug 05 '20 at 12:31
  • @Aravinth show us some code. How did you constructed your NoSQL query? Like what dododo said, what you shared doesn't seem to look like a NoSQL query. It does look like more of an SQL Injection as Qualys appears to "inject" a SLEEP command – securecodeninja Aug 06 '20 at 02:33
  • Thanks for your response @RomanCanlas. Please refer below code I have used to retrieve data from collection. Is there any possibility to attack with NoSQL / SQL injection, if so, how to prevent it. var _chatSessionCollection = Db.GetCollection(ConfigurationManager.AppSettings["chatsession"]); JObject dateFilter = new JObject(); jFilter.Add("botId", 1); jFilter.Add("status", status); var _chatSessionList = _chatSessionCollection.Find(Convert.ToString(jFilter)).ToList(); – Aravinth Aug 06 '20 at 10:57

1 Answers1

0

Arbitrary code can potentially be injected in one of the filters (status). I suggest to implement whitelisting if you are just expecting a finite list of accepted characters

NOTE: I haven't tested the code below, but I hope you get the gist

Regex regex = new Regex(@"^[a-zA-Z0-9\s,]*$");  // alphanumeric pattern

if (regex.IsMatch(status)) {
    chatSessionCollection = Db.GetCollection<ChatSessionModel(ConfigurationManager.AppSettings["chatsession"]); 
    JObject dateFilter = new JObject(); 
    jFilter.Add("botId", 1); 
    jFilter.Add("status", status); 
    var _chatSessionList = _chatSessionCollection.Find(Convert.ToString(jFilter)).ToList(); 
}   
else 
  return false;
securecodeninja
  • 2,497
  • 3
  • 16
  • 22
  • Thanks @Roman Canlas, i will use your code snippet. I believe the main objective is to remove "$" symbol from the input data. is It correct? – Aravinth Aug 07 '20 at 10:30
  • No. The objective is to only accept white-listed characters. We do not aim to remove any characters but you can do it as well but it won't be as effective as whitelisting IMHO. What you are referring to is different, it is the process of sanitization. – securecodeninja Aug 07 '20 at 19:39
  • I understood and thanks for your response @Roman Canlas – Aravinth Aug 10 '20 at 06:04