nosql injection in meteor.js application
TRANSCRIPT
![Page 1: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/1.jpg)
NOSQL INJECTION IN APPS
Vietnam
WWW.DESIGNVELOPER.COM
![Page 2: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/2.jpg)
1.INTRODUCTION
WWW.DESIGNVELOPER.COM
![Page 3: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/3.jpg)
Hello!I am Son Leo At Designveloper for > 2
yearso Work with Meteor for > a
year
You can find me at:@sonlexqt
![Page 4: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/4.jpg)
Required: familiarity with
WWW.DESIGNVELOPER.COM
![Page 5: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/5.jpg)
Don’t get me wrong !
is NOT INSECURE
WWW.DESIGNVELOPER.COM
![Page 6: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/6.jpg)
SQL InjectionQueries use STRINGs as the control mechanism.
WWW.DESIGNVELOPER.COM
![Page 7: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/7.jpg)
Exploits of a Mom
// queryINSERT INTO Students VALUES ( '$Name' )// inputRobert'); DROP TABLE Students; --// resultINSERT INTO Students VALUES ( 'Robert' ); DROP TABLE Students; --' )
source: https://xkcd.com/327
WWW.DESIGNVELOPER.COM
![Page 8: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/8.jpg)
SQL Injection - One more example// querySELECT * FROM users WHERE username='peter’AND (password= ('$PWD'))// input' OR '1'='1’// resultSELECT * FROM users WHERE username='peter' AND (password='' OR '1'='1')
WWW.DESIGNVELOPER.COM
![Page 9: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/9.jpg)
NoSQL InjectionQueries use OBJECTs as the control mechanism.
WWW.DESIGNVELOPER.COM
![Page 10: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/10.jpg)
2.DEMO TIME
Meteor-shop web application
WWW.DESIGNVELOPER.COM
![Page 11: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/11.jpg)
Let’s play a role of a hacker !With NoSQL Injection skill.
WWW.DESIGNVELOPER.COM
![Page 12: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/12.jpg)
3.SOLUTIONS
WWW.DESIGNVELOPER.COM
![Page 13: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/13.jpg)
“MAKE
ASSERTIONS ON USER
INPUT DATA
WWW.DESIGNVELOPER.COM
![Page 14: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/14.jpg)
CHECK to the rescuehttps://atmospherejs.com/meteor/check
Check whether a value matches a
pattern$ meteor add check
check(slug, String);
ERROR: Expected String, got Object
WWW.DESIGNVELOPER.COM
![Page 15: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/15.jpg)
CHECK-CHECKERhttps://atmospherejs.com/east5th/check-checker Scan the code to detect methods / publish
functions which haven’t checked for its input data.
$ meteor add east5th:check-checker
WWW.DESIGNVELOPER.COM
![Page 16: NoSQL Injection in Meteor.js Application](https://reader035.vdocuments.site/reader035/viewer/2022062412/58ed5fd81a28ab26718b4595/html5/thumbnails/16.jpg)
Thanks!Any questions?
o meteor-shop demo application https://github.com/sonlexqt/meteor-shop
WWW.DESIGNVELOPER.COM