Merge branch 'pr-13' into develop

Author: PauloASilva

2019/en/src/0xa8-injection.md

@@ -60,6 +60,34 @@ vulnerable firmware:
 $ curl -k "https://${deviceIP}:4567/api/CONFIG/restore" -F 'appid=$(/etc/pod/power_down.sh)'
 ```
 
+### Scenario #3
+
+We have an application with basic CRUD functionality for operations with
+bookings. An attacker managed to identify that NoSQL injection might be possible
+through `bookingId` query string parameter in the delete booking request. This
+is how the request looks like: `DELETE /api/bookings?bookingId=678`.
+
+The API server uses the following function to handle delete requests:
+
+```javascript
+router.delete('/bookings', async function (req, res, next) {
+  try {
+      const deletedBooking = await Bookings.findOneAndRemove({'_id' : req.query.bookingId});
+      res.status(200);
+  } catch (err) {
+     res.status(400).json({error: 'Unexpected error occured while processing a request'});
+  };
+```
+
+Attacker intercepted the request and changed `bookingId` query string parameter
+as below:
+
+```
+DELETE /api/bookings?bookingId[$ne]=678
+```
+
+As a result, the attacker managed to delete another user booking.
+
 ## How To Prevent
 
 Preventing injection requires keeping data separate from commands and queries.