Quick notes about Azure Table Storage Injection in Windows Azure Mobile Services

One beautiful afternoon you come across the popular Azure Table Storage service during an assessment. Shit, a NoSQL service hosted on Azure. It must be secure right?Well, again it is up to the developer’s implementation and unsurprisingly, it is possible to use SQL injection (NoSQL injection?) to extract more data than intended if the developers failed at sanitizing parameters. 

How do you identify this service?

  • Look for apps sending requests to *.azure-mobile.net
  • Requests sent to /tables/
  • Requests containing the operators shown next included in the request variable ‘filter’

What operators can you use to extract information?

Extract information from other tables using the following supported comparison operators:

  • eq (Equal) 
  • gt (GreaterThan)
  • ge (GreaterThanOrEqual)
  • lt (LessThan)
  • le (LessThanOrEqual) 
  • ne (NotEqual)

 I hope you find the operators reference useful and remember to stay on the hunt ;).
Reference:

Querying tables and entities: https://docs.microsoft.com/en-us/rest/api/storageservices/querying-tables-and-entities#supported-comparison-operators

Leave a Reply

Your email address will not be published. Required fields are marked *