Skip to content

Security Test: NoSQL Injection

Description

Default Severity:

NoSQL injection happens when an attacker tricks your application into running harmful database commands by inserting malicious code in user input. Instead of treating data as just plain values, the application builds queries that the attacker can manipulate. This can let an attacker see or change sensitive data, disrupt your system, or even take control of your database. Developers often fall into the trap of assuming that document-based queries are safe by default, so not validating or sanitizing input properly leads to these kinds of vulnerabilities.

Reference:

Configuration

Identifier: injection/nosql

Examples

All configuration available:

checks:
  injection/nosql:
    skip: false # default
    options:
      skip_objects: # cf. Options below

Options

Options can be set in the options key of the Security Test Configuration.

Property Type Default Description
skip_objects List[string] List of object that are to be skipped by the security test.

Compliance and Standards

Standard Value
OWASP API Top 10 API9:2023
OWASP LLM Top 10 LLM06:2023
PCI DSS 6.5.1
GDPR Article-32
SOC2 CC1
PSD2 Article-95
ISO 27001 A.14.2
NIST SP800-53
FedRAMP AC-6
CWE 943
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
CVSS Score 9.4