NoSQLi - A Fast NoSQL Injection Scanner
Last year, I started working on a NoSQL injection framework, because I just didn't find a tool that suited my purposes. Other tools are too hard to automate in my workflow, or missed a lot of the simple test cases I tried.
So I developed nosqli, an open source NoSQL scanner written in Go. It's configurable with command line options, and runs a large number of injection attempts against targets. It's mostly focused on Mongo injections, but does work to a lesser extent against any database that uses JavaScript.
$ nosqli
NoSQLInjector is a CLI tool for testing Datastores that
do not depend on SQL as a query language.
nosqli aims to be a simple automation tool for identifying and exploiting
NoSQL Injection vectors.
Usage:
nosqli [command]
Available Commands:
help Help about any command
scan Scan endpoint for NoSQL Injection vectors
version Prints the current version
Flags:
--config string config file (default is $HOME/.nosqli.yaml)
-d, --data string Specify default post data (should not include any injection strings)
-h, --help help for nosqli
-p, --proxy string Proxy requests through this proxy URL. Defaults to HTTP_PROXY environment variable.
-r, --request string Load in a request from a file, such as a request generated in Burp or ZAP.
-t, --target string target url eg. http://site.com/page?arg=1
-u, --user-agent string Specify a user agent
Use "nosqli [command] --help" for more information about a command.
$ nosqli scan -t http://localhost:4000/user/lookup?username=test
Running Error based scan...
Running Boolean based scan...
Found Error based NoSQL Injection:
URL: http://localhost:4000/user/lookup?=&username=test
param: username
Injection: username='
Using NoSQLi
I tried to keep a simple and flexible CLI interface for scanning. You can pass in a target URL with GET parameters that need to be scanned, or a saved request with POST data. The scanner is smart enough to know if the data is JSON or form data, and will inject either way.
The configurations currently support running through a proxy (so you can view the generated traffic in Burp or similar software) and changing the user agent.
Scanning Types
NoSQLi has the most commonly found injection vectors implemented:
Error Scans: Look for known error strings in responses from the server.
Blind Boolean Injections: When the page doesn't return errors, but does return different data when true
or false
is returned from the database (or when some records are retrieved vs. no records)
Timing based injections: When all else fails, if the database sends a delayed response after a successful injection.
Using NoSQLi with Requests
A key feature missing from a few scanners I tried previously was the ability to export a request from a proxy and run the injections based on that. NoSQLi can leverage this easily, and keeps all the header information, including things like user agent.
While the tool does not yet support importing a full session log and executing tests against all requests sequentially, saving a standard HTTP request to a file and referencing that file allows repeatable tests, or extraction from other tools such as Burp.
Installing NoSQLi
The github page has all the instructions. You can build from source or download and run the appropriate executable for your system.
Roadmap / Future features
I'd like to support data extraction and specific tests for NoSQL databases beyond MongoDB. If you have ideas, try it out and let me know what else you would like to see!