NoSQL Injection¶

Description¶

A NoSQL injection vulnerability occurs when users can insert (or “inject”) malicious NoSQL code in a legit SQL query that is built from user-submitted input. A successful NoSQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database (such as shutting down the DBMS), recover the content of a given file from the DBMS file system and in some cases issue commands to the operating system.

Remediation¶

The main principle of the remediation is to escape user input properly:

Allow-list input validation.
Escaping all user supplied input.

GraphQL Specific¶

Apollo

To prevent NoSQL injection in Apollo framework, ensure that all user-supplied input is validated and sanitized. Use parameterized queries with the appropriate data binding methods provided by the database driver or ORM. Avoid constructing queries with string concatenation. Implement proper access controls and regularly update the Apollo server and any underlying database packages to patch known vulnerabilities.

Yoga

To prevent NoSQL injection in the Yoga framework engine, ensure that all database queries are constructed using parameterized queries or prepared statements. Avoid concatenating user input directly into database queries. Validate and sanitize all user inputs to remove malicious injection payloads. Additionally, implement proper access controls and use the principle of least privilege to minimize the potential impact of any successful injection attack.

Awsappsync

To mitigate NoSQL injection vulnerabilities in AWS AppSync, ensure that all user-supplied input is validated and sanitized. Use AWS AppSync's built-in support for parameterized resolvers and the VTL (Velocity Template Language) to safely handle user input. Avoid directly concatenating user input into queries or filter expressions. Implement strict input validation routines to check for expected data types and patterns. Additionally, employ AWS IAM policies and AppSync's fine-grained access control mechanisms to restrict access to underlying data sources and limit the potential impact of a successful injection attack.

Graphqlgo

To mitigate NoSQL injection vulnerabilities in a GraphQL Go framework engine, ensure that all user-supplied input is properly sanitized and validated. Use parameterized queries or prepared statements to handle data input, and employ a library that provides built-in protection against injection attacks. Additionally, implement proper access controls and regularly audit your code for potential injection flaws.

Graphqlruby

In the GraphQL Ruby framework, to prevent NoSQL injection attacks, ensure that all user-supplied input is validated and sanitized. Use the built-in mechanisms for parameterized queries and arguments to avoid directly interpolating variables into queries. Additionally, employ proper access control checks and adhere to the principle of least privilege when designing your schema and resolvers.

Hasura

To prevent NoSQL injection in Hasura, ensure that all GraphQL queries and mutations are constructed using parameterized arguments rather than string concatenation. Additionally, apply strict input validation, use Hasura's permission system to restrict data access, and regularly update Hasura to incorporate security fixes.

Agoo

Validate and sanitize all user inputs in the Agoo framework to prevent NoSQL injection vulnerabilities. Use parameterized queries and avoid directly embedding user inputs in database queries.

Ariadne

Implement input validation and sanitization in the Ariadne framework engine to prevent NoSQL injection by ensuring that user inputs are properly escaped and do not directly interact with the database queries.

Caliban

Validate and sanitize all user inputs to prevent NoSQL injection in the Caliban framework engine.

Dgraph

Validate and sanitize all user inputs to prevent NoSQL injection vulnerabilities in the Dgraph framework. Use parameterized queries and avoid directly embedding user input in database queries.

Dianajl

Implement input validation and sanitization in the dianajl framework engine to prevent NoSQL injection by ensuring that user inputs are properly validated and sanitized before being used in database queries.

Directus

Implement input validation and sanitization for all user inputs in the Directus framework to prevent NoSQL injection vulnerabilities. Use parameterized queries and ensure that any dynamic queries are constructed safely to avoid executing malicious code.

Flutter

Validate and sanitize all user inputs in Flutter applications to prevent NoSQL injection vulnerabilities. Use secure coding practices and libraries that support parameterized queries to ensure that user inputs are not directly concatenated into database queries.

Graphene

Validate and sanitize all user inputs in the Graphene framework to prevent NoSQL injection vulnerabilities. Use parameterized queries and avoid directly embedding user input in database queries.

Graphqlapiforwp

Implement input validation and sanitization for all user inputs in the GraphQL API for WP framework to prevent NoSQL injection vulnerabilities. Use parameterized queries and ensure that user inputs are not directly concatenated into database queries.

Graphqlgophergo

Validate and sanitize all user inputs in GraphQL queries to prevent injection attacks, and use libraries like graphql-go to enforce strict query validation and schema constraints.

Graphqljava

Validate and sanitize all user inputs in GraphQL queries and mutations to prevent injection attacks. Use libraries like graphql-java-extended-validation to enforce input constraints and ensure that only expected data types and formats are processed.

Graphqlphp

Validate and sanitize all user inputs in GraphQL queries to prevent NoSQL injection vulnerabilities. Use libraries or middleware that enforce strict input validation and ensure that only expected data types and values are processed.

Graphqlyoga

Validate and sanitize all user inputs in GraphQL Yoga to prevent NoSQL injection. Use parameterized queries and input validation libraries to ensure that only expected data types and formats are processed.

Hypergraphql

Validate and sanitize all user inputs in HyperGraphQL to prevent injection attacks, and use parameterized queries to ensure that user inputs are treated as data rather than executable code.

Jaal

Implement input validation and sanitization in the Jaal framework engine to prevent NoSQL injection by ensuring that user inputs are properly checked and cleaned before being used in database queries.

Juniper

Implement input validation and sanitization to prevent NoSQL injection in the Juniper framework engine by ensuring that user inputs are properly validated and sanitized before being used in database queries.

Lacinia

Validate and sanitize all user inputs in the Lacinia framework to prevent NoSQL injection vulnerabilities. Use parameterized queries and avoid directly embedding user input in database queries.

Lighthouse

Implement input validation and sanitization to prevent malicious code execution in the Lighthouse framework engine.

Mercurius

Validate and sanitize all user inputs in Mercurius framework to prevent NoSQL injection vulnerabilities.

Morpheusgraphql

Implement input validation and sanitization in MorpheusGraphQL to prevent NoSQL injection by ensuring that user inputs are properly validated and sanitized before being processed by the database engine.

Qglgen

Validate and sanitize all user inputs in the gqlgen framework to prevent NoSQL injection. Use parameterized queries and avoid directly embedding user inputs in database queries.

Sangria

Validate and sanitize all user inputs and use parameterized queries in the Sangria GraphQL framework to prevent NoSQL injection vulnerabilities.

Shopify

Implement input validation and sanitization to prevent NoSQL injection in the Shopify framework by ensuring that user inputs are properly validated and sanitized before being used in database queries. Additionally, use parameterized queries or ORM methods that automatically handle input safely.

Stepzen

Validate and sanitize all user inputs in the StepZen framework to prevent NoSQL injection. Use parameterized queries and avoid directly embedding user inputs in database queries. Implement input validation to ensure only expected data types and formats are processed. Regularly update and patch the StepZen framework to incorporate security fixes.

Strawberry

Implement input validation and sanitization in the Strawberry Framework engine to prevent NoSQL injection by ensuring that user inputs are properly checked and cleaned before being used in database queries.

Tartiflette

Validate and sanitize all user inputs in the Tartiflette framework to prevent NoSQL injection vulnerabilities. Use parameterized queries and avoid directly embedding user inputs in database queries.

Wpgraphql

Validate and sanitize all user inputs in WPGraphQL to prevent NoSQL injection vulnerabilities. Use parameterized queries and avoid directly embedding user inputs in database queries.

REST Specific¶

Asp_net

To prevent NoSQL injection in ASP.NET applications, use parameterized queries with ORM frameworks like Entity Framework, which automatically handle the use of parameters. Avoid building queries with string concatenation, and validate and sanitize all user input. Implement proper error handling to prevent leakage of database information in error messages. Additionally, apply the principle of least privilege by restricting database permissions for application users.

Ruby_on_rails

In Ruby on Rails, prevent NoSQL injection by using parameterized queries with the ActiveRecord ORM, which ensures that user input is treated as data rather than executable code. Additionally, avoid directly passing user input to methods that perform database operations, and implement input validation to sanitize and verify the data before it's used in a query.

Next_js

In the Next.js framework, to prevent NoSQL injection attacks, ensure that all database queries are constructed using parameterized queries or prepared statements. Avoid concatenating or interpolating user input directly into queries. Utilize libraries that provide built-in protection against injection, and always validate and sanitize user input to enforce the expected data type and format. Additionally, implement proper access controls and regularly audit your code for security vulnerabilities.

Laravel

In Laravel, to prevent NoSQL injection attacks, always use Eloquent ORM or the query builder's parameter binding feature to handle your database queries. Avoid raw queries or constructing queries with user input directly. When using Eloquent, leverage its built-in protection against injection by utilizing model binding and mass assignment protection. Additionally, validate and sanitize all user inputs using Laravel's validation features to ensure that the data conforms to expected formats before it is used in any database query.

Express_js

In Express.js applications using NoSQL databases like MongoDB, prevent NoSQL injection attacks by using parameterized queries with libraries such as Mongoose, which automatically sanitize input. Avoid constructing queries with string concatenation. Additionally, implement input validation using middleware like express-validator to ensure that the data conforms to expected formats. Regularly update your database drivers and frameworks to incorporate security patches.

Django

In Django, ensure that you use the Django ORM properly to avoid NoSQL injection vulnerabilities. Always use the built-in querysets and avoid directly passing user input into filter() or raw() methods. For instance, instead of using raw string concatenation, leverage the ORM's parameterized query capabilities such as YourModel.objects.filter(field_name=user_input). This ensures that Django will handle the necessary escaping and formatting of inputs. Additionally, validate and sanitize all user inputs to ensure they meet the expected format and type. Regularly update Django to the latest version to benefit from security patches and improvements.

Symfony

In the Symfony framework, to prevent NoSQL injection attacks, use the Doctrine ODM (Object Document Mapper) or ORM (Object Relational Mapper) with parameterized queries or prepared statements. Ensure that all user-supplied input is sanitized and validated before being used in database queries. Additionally, implement proper access controls and use the latest security practices recommended by Symfony's documentation.

Spring_boot

In the Spring Boot framework, to prevent NoSQL injection attacks, it is recommended to use parameterized queries or Spring Data repositories. Avoid constructing queries using string concatenation with user input. Instead, leverage Spring Data's support for query methods, which automatically apply parameter binding and sanitization. For more complex queries, use Criteria API or QueryDSL to ensure that user input is handled safely. Additionally, validate and sanitize all user inputs to ensure they conform to expected formats. Implement proper authentication and authorization checks to restrict access to sensitive data and operations.

Flask

In Flask applications using NoSQL databases, ensure that you use parameterized queries or the equivalent feature provided by the database driver, such as the 'safe' parameter in PyMongo. Avoid constructing queries with string concatenation or interpolation of user-supplied input. Additionally, apply proper input validation, use database-specific escaping functions, and implement access controls to mitigate NoSQL injection risks.

Nuxt

In Nuxt.js applications, to prevent NoSQL injection attacks, ensure that all database queries are constructed using parameterized queries or prepared statements. This approach allows the database to distinguish between code and data, regardless of user input. Additionally, validate and sanitize all user input to remove potential malicious injection code. Implement proper error handling to avoid revealing database structures in error messages. Regularly review and update dependencies to mitigate vulnerabilities in third-party packages. Use security libraries and modules that are designed to protect against injection attacks. Finally, employ a robust authentication and authorization strategy to limit database access.

Fastapi

In FastAPI, to prevent NoSQL injection attacks, ensure that you use a proper database driver that supports parameterized queries or prepared statements. Avoid constructing queries using string concatenation with user input. Instead, leverage the features of the chosen ODM (Object Document Mapper) like `motor` for MongoDB, which typically provide methods to safely create queries with placeholders for parameters. Additionally, validate and sanitize all user input rigorously to ensure that it conforms to expected formats. Implement proper error handling to avoid revealing sensitive information about the database structure in error messages.

Frappe

Validate and sanitize all user inputs in the Frappe framework to prevent NoSQL injection by using built-in ORM methods and avoiding direct database queries.

Genzio

Implement input validation and sanitization in the Genzio framework engine to prevent NoSQL injection by ensuring that user inputs are properly escaped and validated before being used in database queries.

Gin

Validate and sanitize all user inputs in the Gin framework to prevent NoSQL injection. Use parameterized queries and ORM features to ensure that user inputs are not directly included in database queries. Additionally, implement input validation and use libraries that automatically escape special characters in user inputs.

Gorilla

Implement input validation and sanitization to ensure that user inputs are properly checked and cleaned before being processed by the Gorilla framework engine. Additionally, use parameterized queries to prevent malicious code execution.

Hapi

Validate and sanitize user inputs using Joi schemas in the Hapi framework to prevent NoSQL injection vulnerabilities.

Hono

Validate and sanitize all user inputs to prevent NoSQL injection in the Hono framework engine. Use parameterized queries and avoid directly embedding user inputs in database queries.

Jersey

Validate and sanitize all user inputs to prevent NoSQL injection vulnerabilities in the Jersey framework. Use parameterized queries and avoid directly embedding user input in database queries.

Koa

Validate and sanitize all user inputs in Koa applications to prevent NoSQL injection. Use libraries like Joi for input validation and ensure that any database queries are parameterized to avoid direct insertion of user data into queries.

Ktor

Validate and sanitize all user inputs in Ktor applications to prevent NoSQL injection. Use parameterized queries or query builders provided by the database driver to ensure that user inputs are not directly concatenated into database queries.

Leptos

Validate and sanitize all user inputs in the Leptos framework engine to prevent NoSQL injection vulnerabilities. Use parameterized queries and avoid directly embedding user inputs in database queries.

Macaron

Validate and sanitize all user inputs in the Macaron framework to prevent NoSQL injection. Use parameterized queries and ORM features to ensure that user inputs are not directly concatenated into database queries.

Phoenix

Use Ecto query parameters to prevent NoSQL injection by ensuring that user input is safely handled and not directly interpolated into queries.

Redwoodjs

In RedwoodJS, ensure that all database queries are constructed using parameterized queries or ORM methods to prevent NoSQL injection. Avoid directly embedding user input into query strings and validate or sanitize inputs where necessary.

Rocket

Validate and sanitize all user inputs in Rocket framework to prevent NoSQL injection. Use parameterized queries and avoid directly embedding user inputs in database queries. Implement input validation middleware to ensure only expected data types and formats are processed.

Sveltekit

In SvelteKit, to prevent NoSQL injection, ensure that all database queries are parameterized and avoid directly embedding user input into queries. Use libraries that support parameterized queries and validate or sanitize user inputs before processing them.

Configuration¶

Identifier: injection/nosql

Options¶

skip_objects : List of object that are to be skipped by the security test.

Examples¶

Ignore this check¶

checks:
  injection/nosql:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API9:2023
OWASP LLM: LLM06:2023
pci: 6.5.1
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: AC-6

Classification¶

CWE: 943

Score¶

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
CVSS_SCORE: 9.4

References¶

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection