• Stars
    star
    106
  • Rank 325,871 (Top 7 %)
  • Language
    Python
  • License
    MIT License
  • Created over 6 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Predict Mongo ObjectIds

Mongo ObjectId introduction

Mongo ObjectIds are generated in a predictable manner, the 12-byte ObjectId value consists of:

  • a 4-byte value representing the seconds since the Unix epoch,
  • a 3-byte machine identifier,
  • a 2-byte process id, and
  • a 3-byte counter, starting with a random value.

Some web and REST APIs use these as resource IDs, and because developers believe they are randomly generated or difficult to guess, they are also frequently used as (a very weak) authorization layer: if you know the ObjectId then you have to be the right user.

A potentially vulnerable REST API will look like this:

GET /pet/5ae9b90a2c144b9def01ec37 HTTP/1.1
Host: vulnerable.com
X-API-Key: ...

And the code that handles that request (notice the lack of authorization):

@route('/pet/{id}')
@is_authenticated
def handle_get_pet(id):
    return PetFromMongoORM.get(id)

Predicting Mongo ObjectIds

The tool I created will predict Mongo ObjectIds given a valid initial value:

./mongo-objectid-predict 5ae9b90a2c144b9def01ec37
...
5ae9bac82c144b9def01ec39
...
5ae9bacf2c144b9def01ec3a
...
5ae9bada2c144b9def01ec3b

Usually you'll use this tool together with Burp, or your own custom script in order to brute-force a resource:

import requests

from mongo_objectid_predict import predict

for objectid in predict('5ae9b90a2c144b9def01ec37'):
    response = requests.get('http://target.com/resource/%s' % objectid)
    process_response(response)

Controlling the prediction process

There are two command line parameters which will control how many potential mongo ObjectIds are generated: --counter-diff and --per-counter.

Counter diff will control the iteration over the last 3 bytes (the counter) of the ObjectId. So, if the last 3 bytes from the base ObjectId were 000020, you can control how much to increment or decrement this value using --counter-diff. By default we set it to 20.

Per counter will control the first 4 bytes of the ObjectId: the epoch time. For each newly generated counter (last 3 bytes) the tool will generate N --per-counter epoch times.

It is important to know that ObjectIds are generated for all MongoDB tables: the counter will be incremented for objects which are not the one queried by the application. This means that depending on the way the application was developed, its load, etc. you might need to play with --counter-diff and --per-counter until something interesting is found.

The last parameter you can use is --backward. Instead of adding to the counter the tool will decrease it. The same thing happens with the epoch counter.

Improvements

This tool should work on simple MongoDB installations, where no clusters are used (machine identifier remains constant) and the MongoDB hasn't been restarted (process ID remains constant).

For other scenarios prediction is still possible, but requires more requests and potentially a different algorithm which receives more samples, analyzes them and then starts producing ObjectIds for that specific installation.

More Repositories

1

w3af

w3af: web application attack and audit framework, the open source web vulnerability scanner.
Python
4,309
star
2

enumerate-iam

Enumerate the permissions associated with AWS credential set
Python
840
star
3

nimbostratus

Tools for fingerprinting and exploiting Amazon cloud infrastructures
Python
429
star
4

race-condition-exploit

Tool to help with the exploitation of web application race conditions
Python
178
star
5

websocket-fuzzer

HTML5 WebSocket message fuzzer
Python
133
star
6

jwt-fuzzer

JWT fuzzer
Python
104
star
7

cc-lambda

Search the common crawl using lambda functions
Python
76
star
8

secure-ubuntu-desktop

Maintain a list of tips and tricks to be used by Ubuntu users to secure their laptops.
65
star
9

w3af-webui

Django Web UI contributed by Yandex for w3af.
JavaScript
52
star
10

vpc-vpn-pivot

Pivot into private VPC networks using a VPN connection
Python
37
star
11

django-moth

A Django vulnerable Web application for testing the w3af framework
Python
31
star
12

w3af-moth

A set of vulnerable PHP scripts used to test w3af's vulnerability detection features.
HTML
29
star
13

w3af-kali

w3af packaging for Kali distribution
Python
25
star
14

splunk-logger

A logging handler for Splunk. Lets you send information to Splunk directly from your Python code.
Python
23
star
15

aws-audit-automation

Tools to automate AWS Cloud security assessments
Python
23
star
16

nimbostratus-target

This repository holds a target infrastructure you can use for running the nimbostratus tools.
Python
22
star
17

w3af-api-client

REST API client to consume w3af
Python
17
star
18

pico-wavsep

A minimalistic way to run WAVSEP
Python
13
star
19

docker-anomalies

Docker container anomaly detection
Python
12
star
20

aws-backup

AWS Backup implementation in terraform
HCL
12
star
21

owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
HTML
12
star
22

pico

Tool to identify and exploit timing attacks
Python
10
star
23

burp-proxy-search

Burp suite HTTP history advanced search
Python
10
star
24

w3af-module

Tools to install w3af as a Python module
Python
9
star
25

docker-tag-naming

A small tool that helps name docker tags
Python
9
star
26

sentinela

Sentinela is a highly configurable operating system watchdog which can take actions based on pre-configured rules.
Python
8
star
27

collector

Collect performance metrics for any software using AWS
Python
7
star
28

w3af-api-docker

Docker image for w3af REST API with nginx, uwsgi and supervisord
Python
6
star
29

w3af-packages

Files and utilities that define w3af packages and installers for Windows, Debian, FreeBSD, etc.
C
6
star
30

w3af-qa

Quality related stuff for w3af.
Python
4
star
31

dirty-dependency-check

Vulnerability dependency check for Maven projects
Python
4
star
32

django-uwsgi-nginx-ssh

Django 1.5.1 with uwsgi, nginx and SSH.
Nginx
4
star
33

cryptopals

My solutions to the cryptopals challenge
Python
4
star
34

hash-blender

Takes various inputs and separators, mixes them, applies a hash function and verifies if match was found
Python
3
star
35

w3af-performance-analysis

Analysis tool for performance output generated by w3af
Python
3
star
36

py-xchat-twitter

Twitter client written as an XChat plugin (Python)
Python
3
star
37

pico-string-compare-local

String comparison scripts for pico
Python
2
star
38

qotd

A simple quote of the day library
Python
2
star
39

w3af-misc

Misc code loosely related to the w3af project.
Python
1
star
40

burp-extensions

Collection of Burp extensions
1
star
41

w3af-kali-ci

A helper repository to build w3af-kali in CircleCI
Shell
1
star
42

django-registration

https://bitbucket.org/ubernostrum/django-registration with minor modifications
Python
1
star
43

django-rest-framework-timing

Minimalistic Django REST framework to test timing attacks
Python
1
star
44

high-entropy-json

Call Lyft's high-entropy-string for each string in a JSON document
Python
1
star