Hello, welcome to the Wednesday, December 7th, 2016 edition of the Sandtonet Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Many modern web applications are moving away from SQL databases to no sequel. We talked about this

a couple times in this podcast already, but

the one stack that gains some popularity here is the so-called mean stack, where mean stands

for MongoDB Express, Angularjs, and Node.js. The beauty of this is, from a developer point of view,

it's front end to back-end JavaScript. So really the only language you're coding in on the server

or on the client side is JavaScript. And then MongoDB will natively deal with JSON objects

very nicely.

So first question, of course, if we have no SQL, does this mean we have no SQL injection?

And actually, that's somewhat true.

In particular with MongoDB parameters don't really have to be escaped or like.

They're just passed to the database as a string.

So that works out pretty nicely.

However, the parameters themselves, they can be JSON objects.

And if you're not careful in assembling those JSON objects,

then of course you're back to what you had with secret injection.

Maybe not quite as bad, but a lot of the tricks that you're sort of used to with

secret injection are possible.

Boyan wrote some of this up in today's diary, and he walks through it in quite a bit of detail with examples. So if you're

testing MongoDB based applications, you definitely do want to take a look at his code samples

to see what's of the patterns are that you should log out for and how to write exploits in order to test whether or not your application

...