NoSQL INJECTION

Feature Value
Type Detection
Risk OWASP A1
Covered by Agent

A NoSQL injection attack consists of insertion or "injection" of a NoSQL query object via the input data from the client to the application.

A successful NoSQL injection exploit can read sensitive data from the database, modify data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. With NoSQL injection attacks, parts of the query object are injected into data-plane input in order to execute predefined commands.

More information

How to solve it

Since NoSQL refers to multiple technologies, there is no silver bullet to protect against any type of NoSQL injection attack. But even if the kind of vulnerability mitigation will depend almost exclusively on each specific NoSQL solution, there are some good practices that may apply to many of the solutions.

Make sure that you never use string concatenation with user-controlled input straight in an attribute that might have code to be executed by the server. Whenever possible, replace those kinds of queries with native query operators that are can be optimized by the DBMS.

Example (MongoDB):

// Vulnerable
collection.find(where("this.name == '" + name + "'"))...;

// Safe
collection.find(eq("name", name))...;