Challenge: 

Name: NoSQL Manipulation

Description: Update multiple product reviews at the same time.

Difficulty: 4 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

MongoDB Query Operator Documentation

Solution Guide

Methodology: 

With my complete lack of prior exposure to NoSQL databases, this challenge was a fun learning experience. The first thing I did, as usual, was read the expanded description and the supplied link to MongoDB’s query operator documentation. I also read up on NoSQL queries on Stack Overflow.

This research was, unfortunately, insufficient. After an extended period of poking and prodding the database using Burp Suite’s Repeater tool, I gave in and read the solution (I’m here to learn, not demonstrate mastery). Seeing how the actual query was formed, the reading I had done started to make better sense. Using the “not equals” operator on the Product ID field with an invalid ID number ensured that all table entries would be updated with Bender’s Banana Juice review.

Prevention and Mitigation Strategies:

OWASP Injection Prevention Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

I need to spend more time with NoSQL databases, because the syntax used here was completely foreign to me. I’ll probably wind up taking a Udemy course, as one of the silver linings of unemployment is an abundance of free time to learn new things.