DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Because the DevOps movement has redefined engineering responsibilities, SREs now have to become stewards of observability strategy.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Related

  • JSON-Based Serialized LOB Pattern
  • Build a Java Microservice With AuraDB Free
  • How to Store Text in PostgreSQL: Tips, Tricks, and Traps
  • Comprehensive Guide to Java String Formatting

Trending

  • Can You Run a MariaDB Cluster on a $150 Kubernetes Lab? I Gave It a Shot
  • AI Speaks for the World... But Whose Humanity Does It Learn From?
  • Distributed Consensus: Paxos vs. Raft and Modern Implementations
  • Simpler Data Transfer Objects With Java Records
  1. DZone
  2. Data Engineering
  3. Databases
  4. An Introduction to DynamoDB Injection

An Introduction to DynamoDB Injection

Let's take a look at an introduction to DynamoDB injection and an attack scenario that is similar to NoSQL injection attacks against MongoDB.

By 
Abhay Bhargav user avatar
Abhay Bhargav
·
Aug. 06, 18 · Analysis
Likes (2)
Comment
Save
Tweet
Share
14.7K Views

Join the DZone community and get the full member experience.

Join For Free

I have been developing a bunch of serverless apps and experimenting with serverless security for our (we45's) work in pentesting and for our training on Serverless Security in OWASP AppSecUSA 2018, and I came across this interesting scenario during my research.

If you are working with AWS Lambda (Serverless), chances are that you would be working with AWS's NoSQL Database, DynamoDB. DynamoDB is AWS's cloud NoSQL solution that supports both Document models (like MongoDB) and Key-Value models (like Redis). DynamoDB and Lambda are a popular combination that several developers use to develop and run serverless applications on AWS infrastructure.

A Quick Note on DynamoDB

As DynamoDB is a cloud-based NoSQL solution, it comes with a plethora of features from in-memory caching (DAX) to Seamless Scaling, to Encryption at rest and many more (full list here). As a Database, it supports a bunch of CRUD operations on Data, including INSERTS, UPDATES, DELETE, QUERY & SCAN operations. DynamoDB has TABLES (named similarly to SQL Tables). Tables can have Items (collection of attributes of a document).

DynamoDB has two types of primary keys. One is a Partition Key (primary key), which computes the value internally to a hash function. In tables where there's only the Partition Key, the Partition key has to be unique. For example, in a User table with a partition key of UserID, the UserID has to be unique and you can GET the user's attributes by referencing the UserID

DynamoDB also supports tables with Partition Keys and Sort Key. The first attribute is the Partition Key and the second attribute is the Sort Key (forming a composite primary key). In tables with both Partition and Sort Key, one can have a non-unique partition key but would need to have different sort key values. This is also called a Range Key.

The two major ways to perform SELECT-like functions on DynamoDB tables is the use of Queries and Scans. A query requires users to use the primary key attributes as well as additional filters to return the data queried. However, the scan function scans the entire table and returns results based on the ScanFilters. It goes without saying that the query feature is more efficient, but the scan feature is equally useful for fuzzy searches or search by attributes, without having to deal with the partition key.

Injecting DynamoDB

This attack scenario is very similar to NoSQL Injection attacks against MongoDB (link). And I have been able to validate this against the scan() function of the DynamoDB database.

Full disclosure: I have reported this issue to AWS. However, they (rightly) mentioned that this is the intended behavior of the DB and it's up to the developers to ensure the security of their applications when they use DynamoDB. Therefore, its something that developers need to be watchful of.

In this example, I will use Terraform to provision an Ubuntu 16.X server on Amazon EC2. To use Amazon Inspector, this server needs to be part of a "Resource Group" that is used by Terraform to identify the specific targets that it would need to be run against. Subsequently, I will generate Amazon Inspector-specific configurations to specify an "Assessment Template" which is Amazon-speak for "configure a set of rules to be run against the target(s)." Finally, after this has been provisioned, you can actually "run" the assessment, which in this case is 1 hour.

Code Snippet:
client.scan(TableName = 'dynamo-user', SELECT = 'ALL ATTRIBUTES",
ScanFilter = {'first_name':{"AttributeValueList":[{"S":"Joe"}],
"ComparisonOperator":"EQ"}, 'last_name':{"AttributeValueList":[{"S":"SixPack"}],
"ComparisonOperator";"EQ"}})
In the above code snippet, I am using a scan operation to filter based on the first_name and last_name attributes. I am using a String filter, denoted by S (in AttributeValueList) with a string filter condition. I am using the ComparisonOperator == EQ (code for equals). You have a bunch of Comparison operators including:
EQ|NE|IN|LE|LT|GE|GT|BETWEEN|NOT_NULL|NULL|CONTAINS|NOT_CONTAINS|BEGINS_WITH

With String attributes, comparison gets tricky, as comparison depends on the ASCII lexical ordering of strings, therefore, if you compare string values against another string with lower lexical ordering like* or a string with whitespace it's likely to be always greater than or less than the queried string. Here's another code snippet demonstrating this:

Code Snippet:
client.scan(TableName = 'dynamo-user', Select = 'ALL_ATTRIBUTES', 
                ScanFilter = {'first_name': {"AttributeValueList": [{"S": "*"}],
                                             "ComparisonOperator": "GT"}, 
                              'last_name': {"AttributeValueList": [{"S": "*"}], 
                                            "ComparisonOperator": "GT"}})

# All results from the Database are retrieved, similar to a 1=1 
SQL Injection payload

client.scan(TableName = 'dynamo-user', Select = 'ALL_ATTRIBUTES', 
                ScanFilter = {'first_name': {"AttributeValueList": [{"S": " "}],
                                             "ComparisonOperator": "GT"}, 
                              'last_name': {"AttributeValueList": [{"S": " "}], 
                                            "ComparisonOperator": "GT"}})

# All results from the Database are retrieved, 
similar to a 1=1 SQL Injection payload

In the above example, I am using the “Greater than” ComparisonOperator to check if the first_name and last_name attributes are greater than * or " ". In most cases, this would match all records in my Database, as these string attributes as WhateverString < * in all cases. In this case, if the attacker is able to manipulate (through the app/interface), the search section of the AttributeValueList or can manipulate/utilize a ComparisonOperator like GT, LT, NE, NOT_CONTAINS, etc then the attacker may be able to query more than the datasets that the developer intends to expose to the user.

As I mentioned before, this is very similar to the MongoDB NoSQL Injection attack possibilities, where MongoDB expressions like $gte, $lte, $ne can be used to manipulate the returned result set.

Database Injection Attribute (computing) Strings Partition (database) Data Types

Published at DZone with permission of Abhay Bhargav, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • JSON-Based Serialized LOB Pattern
  • Build a Java Microservice With AuraDB Free
  • How to Store Text in PostgreSQL: Tips, Tricks, and Traps
  • Comprehensive Guide to Java String Formatting

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!