Couchbase is a relatively new NoSql database. Like any other new technology, it comes with some security concerns. I've spent quite a time to understand the risk of injection using go-couchbase client library. According to their documentation, I know that it is possible to form Schema and javascript injection attacks. However, I was not able to form any nasty attack. It seems like plain string values are not being parsed(eval) on the Couchbase side. Here is my sample:
cbbucket, err = cbpool.GetBucketWithAuth(bi.Name, bi.Name, bi.Password)
if err != nil {
fmt.Printf("Failed to connect to bucket %s %v", bi.Name, err)
return
}
input := `{"v1":"Malicous"}`
err = cbbucket.Set("k1", 0, input)
if err != nil {
fmt.Printf("set failed error %v", err)
return
}
I assume, the input is the point where an attacker can manipulate data. Nevertheless what is stored in the Couchbase is harmless(escaped) version of the input. Here is the stored value in the DB:
"{\"v1\":\"Malicous\"}"
By looking at the encoding/json package, I came to know that go can parse generic JSON objects on the fly using interface{}. Therefore, I have modified my exploitation code as follows:
cbbucket, err = cbpool.GetBucketWithAuth(bi.Name, bi.Name, bi.Password)
if err != nil {
fmt.Printf("Failed to connect to bucket %s %v", bi.Name, err)
return
}
input := `{"v1":"Malicous"}`
b := []byte(input)
var f interface{}
err := json.Unmarshal(b, &f)
err = cbbucket.Set("k1", 0, &f)
if err != nil {
fmt.Printf("set failed error %v", err)
return
}
This time the exploitation is successfully done. Here is the malicious JSON object stored in the Couchbase:
{
"v1": "Malicous"
}
Well, this exploitation is not so exciting... as it really requires the developer to blindly Unmarshal user input and store it in the the DB. I was wondering if there are other easier exploitation techniques, derived from string concatenation, which does not require such a huge carelessness.