From ddb0c68571006f44f46bdd60948d895b3c49f267 Mon Sep 17 00:00:00 2001
From: IgorSasovets <isasovets@gmail.com>
Date: Mon, 24 Jun 2019 21:57:16 +0300
Subject: [PATCH] fix: added NoSQL scenario example

---
 2019/en/src/0xa8-injection.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/2019/en/src/0xa8-injection.md b/2019/en/src/0xa8-injection.md
index 37f7fde43..4ab9ccb39 100644
--- a/2019/en/src/0xa8-injection.md
+++ b/2019/en/src/0xa8-injection.md
@@ -60,6 +60,30 @@ vulnerable firmware:
 $ curl -k "https://${deviceIP}:4567/api/CONFIG/restore" -F 'appid=$(/etc/pod/power_down.sh)'
 ```
 
+### Scenario #3
+
+We have MEAN stack application with basic CRUD functionality for operations with
+bookings. Attacker managed to identify that NoSQL injection might be possible
+through `bookingId` query string parameter in delete booking request.
+Request looks like:
+`DELETE /bookings?bookingId=678`
+
+On server side, application uses the following function to handle a request:
+
+```
+router.delete('/bookings', async function (req, res, next) {
+  try {
+      const deletedBooking = await Bookings.findOneAndRemove({'_id' : req.query.bookingId});
+      res.status(200);
+  } catch (err) {
+     res.status(400).json({error: 'Unexpected error occured while processing a request'});
+  };
+```
+
+Attacker intercepted the request and changed bookingId query string parameter as below:
+`DELETE /bookings?bookingId[$ne]=678`
+As a result, an attacker managed to delete another user booking.
+
 ## How To Prevent
 
 Preventing injection requires keeping data separate from commands and queries.