CouchDB Injection Active Scan Rules for OWASP ZAP

This thesis consists in the development of an add-on for the OWASP ZAP program, useful for performing a vulnerability analysis of the NoSQL database called CouchDB. CouchDB is a NoSQL database, document type, with documents based on the JSON language and it is written in Erlang. Its main known vulnerabilities are: •??Query injection, which can lead to a password bypass in a login page, if executed in a certain way, but also to the exposure of secret database documents. •??The creation of users with admin privileges, where, thanks to the difference between the JSON parser of Erlang and the one of Javascript, any user can create an administrator profile for the database, leading to the exposure of the whole infrastructure. OWASP ZAP was chosen as the program to develop the analysis of these vulnerabilities, because it is one of the most used programs in the world of cybersecurity regarding the analysis of web applications. After contacting the development team of this open-source application and agreeing on the development of the add-on for CouchDB injection, the work was divided into the following steps. Building up a web application that interfaces with a CouchDB database, written in such a way that these vulnerabilities can be found. The latter were first attacked through an ad-hoc Java application which performs the injection successfully through two different methods, each one attacking one of the vulnerabilities. Then the development moved on OWASP ZAP, and the add-on for the active scan rules of CouchDB was created, following the best practise of the development team; in this case all the attacks stand in the same method. The vulnerable web application was used to test the Java application and the ZAP add-on; but since this application was made on purpose to be successfully attacked, other open-source application found on GitHub were used to test the efficiency of the scan rules. The add-on was then uploaded to my git repository and a pull request was made to the development team, waiting for it to be accepted and then released in a new version of OWASP ZAP.