Security Test: NoSQL Injection via Frontend¶

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	Frontend Scanner

Description¶

Default Severity:

NoSQL injection is when attackers insert malicious code into user inputs to manipulate a database query in ways you didn't intend. If the application builds queries by directly using unsanitized input, an attacker can trick it into showing or changing sensitive data, causing disruption or full control over the database. Developers often mistakenly trust that NoSQL queries are safe just because they aren't SQL, so not properly validating or filtering input can lead to big security risks.

Reference:

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection

Configuration¶

Identifier: frontend_injection/nosql

Examples¶

All configuration available:

checks:
  frontend_injection/nosql:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API9:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.1`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-6`
CWE	`943`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C`
CVSS Score	`9.4`