Not signed in (Sign In)

  • Subscribe

    • Feed

General PHPIDS talk: Feature request: Support for MongoDB SQL injection detection

Bottom of Page

1 to 7 of 7

  1.  
    • CommentAuthordoodlyfish
    • CommentTimeJul 31st 2010
     
    I've been using PHPIDS for just over a year now - its pretty damn good considering its free. While PHPIDS is able to pickup SQL injection it seems unable to pick up simple MongoDB injection attacks. Recently I've seen a few injection attacks against mongodb that PHPIDS is unable to detect eg.

    example.php?password[ne]=12 (which is the equivalent of password != 12)

    MongoDB seems to be being used more and more so it'd be nice to see some support for it. It shouldn't be too tricky to implement. It'd just need to look at the array keys being passed in and look for "ne" "eq" etc..
    • CommentAuthordoodlyfish
    • CommentTimeJul 31st 2010
     
    If anyones interested I added it in myself something like this in your rules file

    <rule><![CDATA[(\[(ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice)\])]]></rule>

    And used this

    function getKeys($array) {
    $keys = array();
    if (is_array($array))
    foreach($array as $key => $value)
    {
    $keys[] = '[' . $key . ']';
    if (is_array($value))
    $keys = array_merge($keys, getKeys($value));
    }
    return $keys;
    }

    to get the values of my $_POST and $_GET parameters
    •  
      CommentAuthor.mario
    • CommentTimeAug 5th 2010
     
    Interesting comment - I haven't worked with MongoDB so far. I will have a look at the tests regarding the rule you added and consider adding it to the core.
    •  
      CommentAuthor.mario
    • CommentTimeAug 5th 2010
     
    Looking great! Just added the rule and a basic test to the trunk. Thanks a lot - this seems to be an interesting and future relevant topic! Maybe it would make sense to create a thread in the SQLI forum on sla.ckers.org?
  5.  
    Just realized that rule should actually be

    <rule><![CDATA[(\[\$(ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice)\])]]></rule>

    (note the $ sign)
    •  
      CommentAuthor.mario
    • CommentTimeAug 8th 2010
     
    So it would catch password[$ne]=12 ?
  7.  
    yeah, thats right. All the conditionals need prefixing with a $ if they are to work :) I also noticed "$or" is missing as well (http://www.mongodb.org/display/DOCS/Advanced+Queries)

    <rule><![CDATA[(\[\$(ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])]]></rule>

1 to 7 of 7

  1.