Nosql Injection on Aws
How Nosql Injection Manifests in Aws
NoSQL injection in AWS environments typically occurs when user input is improperly handled by database queries, particularly with DynamoDB and MongoDB services. In AWS Lambda functions, this vulnerability often emerges when developers directly interpolate user input into database queries without proper sanitization.
Consider a Lambda function using DynamoDB:
const AWS = require('aws-sdk');
const dynamodb = new AWS.DynamoDB.DocumentClient();
exports.handler = async (event) => {
const { username } = JSON.parse(event.body);
// Vulnerable: direct interpolation of user input
const params = {
TableName: 'users',
KeyConditionExpression: 'username = :username',
ExpressionAttributeValues: {
':username': username
}
};
const result = await dynamodb.query(params).promise();
return result;
};An attacker could exploit this by submitting a username like user OR username = "admin", potentially bypassing authentication or accessing unauthorized data.
Another common pattern appears in AWS API Gateway + Lambda setups where path parameters are used directly:
const AWS = require('aws-sdk');
const dynamodb = new AWS.DynamoDB.DocumentClient();
exports.handler = async (event) => {
const userId = event.pathParameters.userId; // Directly from URL
const params = {
TableName: 'users',
Key: { 'id': userId } // No validation
};
const result = await dynamodb.get(params).promise();
return result;
};Attackers can craft malicious userId values to manipulate query logic or access unintended data.
MongoDB Atlas on AWS presents similar risks:
const { MongoClient } = require('mongodb');
const client = new MongoClient(process.env.MONGO_URI);
exports.handler = async (event) => {
const { email } = JSON.parse(event.body);
const db = client.db('usersDB');
const collection = db.collection('users');
// Vulnerable to NoSQL injection
const user = await collection.findOne({ email: email });
return user;
};Here, an attacker could use MongoDB operators like { "$ne": null } to bypass authentication or extract all users.
Aws-Specific Detection
Detecting NoSQL injection in AWS environments requires both static analysis and dynamic testing. For DynamoDB, middleBrick's scanning engine identifies vulnerable patterns by analyzing your Lambda functions' interaction with DynamoDB APIs.
middleBrick specifically tests for:
- Unvalidated user input in DynamoDB DocumentClient operations
- Direct interpolation of path parameters in database queries
- MongoDB Atlas queries with unescaped user input
- Missing input validation on API Gateway parameters
- Improper use of DynamoDB filter expressions with user-controlled data
During a scan, middleBrick executes active payloads against your API endpoints to detect injection vulnerabilities. For example, it tests whether special characters or NoSQL operators are properly handled in your queries.
Manual detection techniques include:
# Scan your Lambda functions for NoSQL injection patterns
middlebrick scan https://your-api-gateway-endpoint.amazonaws.com/prodmiddleBrick's NoSQL injection detection specifically looks for:
| Pattern | Description | Risk Level |
|---|---|---|
| Direct interpolation | User input used directly in query without validation | Critical |
| Operator injection | Special characters that modify query logic | High |
| Logic manipulation | Boolean operators altering query results | High |
| Type confusion | Unexpected data types causing query bypass | Medium |
For AWS SAM or CloudFormation templates, middleBrick analyzes your infrastructure-as-code to identify services that might be vulnerable and need scanning.
Aws-Specific Remediation
Remediating NoSQL injection in AWS requires input validation and proper query construction. For DynamoDB, use parameterized queries and strict input validation:
const AWS = require('aws-sdk');
const dynamodb = new AWS.DynamoDB.DocumentClient();
const validateInput = (input) => {
// Strict validation: only alphanumeric and underscore
const regex = /^[a-zA-Z0-9_]+$/;
return regex.test(input);
};
exports.handler = async (event) => {
const { username } = JSON.parse(event.body);
if (!validateInput(username)) {
return {
statusCode: 400,
body: JSON.stringify({ error: 'Invalid input' })
};
}
const params = {
TableName: 'users',
KeyConditionExpression: 'username = :username',
ExpressionAttributeValues: {
':username': username
}
};
const result = await dynamodb.query(params).promise();
return result;
};For API Gateway + Lambda, validate path parameters before database access:
const AWS = require('aws-sdk');
const dynamodb = new AWS.DynamoDB.DocumentClient();
const isValidUserId = (userId) => {
// Example: UUID validation
const regex = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$/;
return regex.test(userId);
};
exports.handler = async (event) => {
const userId = event.pathParameters.userId;
if (!isValidUserId(userId)) {
return {
statusCode: 400,
body: JSON.stringify({ error: 'Invalid user ID format' })
};
}
const params = {
TableName: 'users',
Key: { 'id': userId }
};
const result = await dynamodb.get(params).promise();
return result;
};For MongoDB Atlas on AWS, use similar validation patterns:
const { MongoClient } = require('mongodb');
const client = new MongoClient(process.env.MONGO_URI);
const validateEmail = (email) => {
const regex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
return regex.test(email);
};
exports.handler = async (event) => {
const { email } = JSON.parse(event.body);
if (!validateEmail(email)) {
return {
statusCode: 400,
body: JSON.stringify({ error: 'Invalid email format' })
};
}
const db = client.db('usersDB');
const collection = db.collection('users');
// Safe: validated input
const user = await collection.findOne({ email: email });
return user;
};middleBrick's Pro plan includes continuous monitoring that can alert you when new NoSQL injection vulnerabilities are introduced in your AWS infrastructure, helping maintain security as your codebase evolves.