Security Test: NoSQL Injection Stored¶

Description¶

Default Severity:

Stored NoSQL injection happens when user input isn’t properly checked and ends up being saved into a database query, essentially letting attackers embed harmful NoSQL commands into parts of your application. This can let them not just read data they shouldn’t have access to but also modify or wipe out important data, potentially even interfering with system operations. Developers often make this mistake by trusting input too much, forgetting to thoroughly sanitize or validate it before using it in database queries. The risk is that once the malicious code is stored, it can be repeatedly used to compromise the system, which is why proper input handling and secure query methods are so important.

Reference:

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection

Configuration¶

Identifier: injection/nosql_stored

Examples¶

All configuration available:

checks:
  injection/nosql_stored:
    skip: false # default
    options:
      skip_objects: # cf. Options below

Options¶

Options can be set in the options key of the Security Test Configuration.

Property	Type	Default	Description
`skip_objects`	`List[string]`		List of object that are to be skipped by the security test.

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API9:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.1`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-6`
CWE	`943`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C`
CVSS Score	`9.4`