Couchbase NoSql Injection

security
#1

Hello,
I would like to secure the application from NoSQL injections especially for user log document fileds; like password.
What are the best methods to perform it? and if someone point me a good document with a sample code valid for couchbase?
My application uses PHP SDK to connect to couchbase.
I have read the following documentation but I didn’t undertsand much the practical steps ; http://docs.couchbase.com/admin/admin/security/security-in-applications.html

Thanks
W

Nosql Injection
#2

hey @brett19 can you help here

#3

Hi,
As @couchbwiss mentioned earlier, I’m also concerned about the security in applications.
Well, I was not lucky enough to find any practical manual out there…
Would be great if you guys from couchbase could provide a practical document for such a important topic “INJECTION”.
Nevertheless, I’m using go client library, but I believe it should be the same for all clients.
Looking forward to hearing from you guys
ma

#4

Hi @mr_ma the document you referred to is the most up to date. However @brett19 maybe able to provide more information

#5

Hey @couchbwiss and @mr_ma,

Maybe I can shed some more light on this for the two of you :smile:

The documentation you referred to is correct, but there is potentially more to it. I’ll start by explaining what that documentation means. Let’s say you have the following document in your Couchbase bucket:

{
    username: "nraboy",
    password: "1234",
    name: "Nic Raboy"
}

Let’s use some imagination here and say that password 1234 is actually a hash. Now let’s say malicious user John Doe knows what parts of your website are updating this particular document(s). He decides to enter a JSON string into a text field that looks like the following:

{
    type: "Pwnz",
    pass: "abc",
    password: "abc"
}

In certain scenarios the two non-existing properties will be merged into the document and the existing property will be replaced. John Doe’s goal is to hit a property that he can replace so he can gain access to the account, for example changing the password.

The moral of the story here is to not accept raw data that the user adds to input fields. In the application layer you should analyze the data, maybe reconstruct a sanitized JSON object with only necessary properties, then use that.

Let’s say you’re not using NoSQL lookup queries, but instead are using N1QL. Just like with any SQL language you should be using parametrized values in your query. Although this isn’t available for PHP yet, you are able to parametrize your N1QL queries in languages like Node.js and Java.

Does this better answer your questions?

Best,

#6

We use sync gateway and it provides an extra layer of security in this regard. E.g.We don’t allow fields in certain document types to be updated, and if someone tries to insert a document of an invalid format we return a forbidden error.

1 Like