Name: NoSQL Manipulation
Description: Update multiple product reviews at the same time.
Difficulty: 4 star
Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html
Burp Suite, FoxyProxy
MongoDB Query Operator Documentation
With my complete lack of prior exposure to NoSQL databases, this challenge was a fun learning experience. The first thing I did, as usual, was read the expanded description and the supplied link to MongoDB’s query operator documentation. I also read up on NoSQL queries on Stack Overflow.
This research was, unfortunately, insufficient. After an extended period of poking and prodding the database using Burp Suite’s Repeater tool, I gave in and read the solution (I’m here to learn, not demonstrate mastery). Seeing how the actual query was formed, the reading I had done started to make better sense. Using the “not equals” operator on the Product ID field with an invalid ID number ensured that all table entries would be updated with Bender’s Banana Juice review.
Prevention and Mitigation Strategies:
OWASP Injection Prevention Cheat Sheet
Lessons Learned and Things Worth Mentioning:
I need to spend more time with NoSQL databases, because the syntax used here was completely foreign to me. I’ll probably wind up taking a Udemy course, as one of the silver linings of unemployment is an abundance of free time to learn new things.