Too fast, too insecure: Securing Mongo Express web administrative interfaces

Mongo Express is a lightweight web-based administrative interface deployed to manage MongoDB databases interactively. It is authored using Node.js, Express and Bootstrap packages. This case study highlights the deployment of Mongo Express admin panels without authentication on the Internet and the various measures to prevent the exposure.

The authentication scheme

Mongo Express comes with a config-default.js file. It primarily supports basic authentication, which encompasses the base64 encoded payload of a username:password combination. This means that, if the basic authentication is configured, the HTTP request header Authorization: Basic <payload> should be transmitted with every request to access different Mongo Express web components. Figure 1 shows the variables used to provide the basic authentication credentials.

Figure 1. Mongo Express web management console authentication variables

In addition to the web panel authentication scheme discussed above, the Mongo Express package supports database authentication credentials to be passed via environment variables. Passing credentials via environment variables can result in leakage of information at multiple places if the host is deployed using virtual machines or containers. Figure 2 shows the types of environment variables used to pass the values.

Figure 2. Environment variables for the Mongo database connection

The Mongo Express environment variables used to provide authentication are shown in Figure 3:

Figure 3. Docker environment variables for Mongo Express authentication

Overall, basic authentication is used for securing the Mongo Express web administrative panels and environment variables are used to store credentials for configuring back-end connections to the main MongoDB database.

Mongo Express: HTTP request/response

In the default state, Mongo Express transmits HTTP request and response headers as shown in Listing 1. The mongo-express cookie parameter is created for storing session-related information.

Listing 1. HTTP request/response by the Mongo Express web server

The set-cookie:mongo-express signature can be used to fingerprint Mongo Express deployments on the Internet.

Empirical analysis

There are thousands of Mongo Express web administration panels exposed on the Internet and they can be accessed without authentication. This means that that any remote user can access these interfaces and execute commands or retrieve sensitive information.

Here you can see the HTTP resource paths that can be used to scan for Mongo Express instances running on the Internet without authentication:

Direct web links

• [IP:port]/db/config/
• [IP:port]/db/config/system.sessions
• [IP:port]/db/admin/system.users
• [IP:port]/db/admin/system.version
• [IP:port]/db/local/startup_log

JSON dumps

• [IP:port]/db/config/
• [IP:port]/db/config/expArr/system.sessions
• [IP:port]/db/admin/expArr/system.users
• [IP:port]/db/admin/expArr/system.version
• [IP:port]/db/local/expArr/startup_log

Listing 2 simply projects the output of the cURL request sent to access the resources used by the Mongo Express package:

Listing 2. Accessing the JSON dump of System.Users without authentication from a remote server

Here are a few examples from the real-time assessment of unauthenticated Mongo Express web administrative instances we conducted.

Accessing Admin Root: It is possible to access and edit the document containing details of the credentials such as salt, storedKey, serverKey and other values. Figure 4 shows the same.

Figure 4. Extracting the roles and credentials of Admin.Root

Database deletion: Figure 5 and Figure 6 show that it’s possible to drop the databases by deleting all associated collections. The examples show the deletion of the startup_log database from the insecure Mongo Express administrative panel.

Figure 5. Initiating deletion of collections from the database

Figure 6. Database dropped successfully

Information leakage: The logs can also reveal internal information about the build environment, as shown in Figure 7.

Figure 7. Information leakage about the build environment

Recommendations

The examples presented above highlight why it is important to secure Mongo Express instances deployed on the Internet. Here are some tips for preventing exposure:

1. Restrict access with strong credentials and deploy perimeter access controls.
2. Perform regular vulnerability assessment and penetration testing of exposed services on the network perimeter to ensure critical services are restricted and are not running insecure versions of software.
3. Develop strong and robust risk assessment program to ensure risks are known upfront and remediated accordingly.
4. Perform configuration reviews at regular intervals and incorporate the practice by developing a Security Impact Analysis (SIA) plan.