NoSQL Injection Stored¶

Description¶

A NoSQL injection vulnerability occurs when users can insert (or “inject”) malicious NoSQL code in a legit SQL query that is built from user-submitted input. A successful NoSQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database (such as shutting down the DBMS), recover the content of a given file from the DBMS file system and in some cases issue commands to the operating system.

Remediation¶

Primary defenses:

Use a sanitization library.
Cast the inputs to the expected type (eg: The username and password are strings so cast the variables to a string).
Never use where, mapReduce, or group operators with user input: they allow the attacker to inject JavaScript and are therefore much more dangerous than others. For extra safety, set javascriptEnabled to false in mongod.conf (if using mongoDB).
Enforce Least Privilege.

GraphQL Specific¶

Apollo

To mitigate NoSQL injection vulnerabilities in the Apollo framework, ensure that all user-supplied input is validated and sanitized. Use parameterized queries or the built-in filtering and parameterization features provided by the database driver or ORM. Avoid directly concatenating or interpolating user input into database queries. Implement proper access controls and regularly audit your codebase for security issues.

Yoga

To prevent NoSQL injection attacks in the Yoga framework engine, ensure that all database queries are constructed using parameterized queries or prepared statements. Avoid concatenating user input directly into database queries. Validate and sanitize all user inputs to ensure they conform to expected formats. Implement proper error handling to prevent the disclosure of database structures. Regularly review and update security measures in line with best practices.

Awsappsync

To mitigate NoSQL injection vulnerabilities in AWS AppSync, ensure that all user-supplied input is validated and sanitized. Use AWS AppSync's built-in VTL (Velocity Template Language) resolvers to parameterize data access in resolvers, and avoid directly passing user input to NoSQL queries. Implement strict type checking and input validation using AppSync's schema definition. Additionally, employ AWS WAF (Web Application Firewall) to filter out malicious requests and regularly update your security rules to protect against emerging threats.

Graphqlgo

To mitigate NoSQL injection vulnerabilities in a GraphQL Go framework engine, ensure that all user-supplied input is properly sanitized and validated. Use parameterized queries or prepared statements to handle data input, and avoid directly concatenating or interpolating user input into database queries. Additionally, implement proper access control checks and adhere to the principle of least privilege when accessing the database. Regularly review and update your security practices to protect against emerging threats.

Graphqlruby

To mitigate NoSQL injection vulnerabilities in a GraphQL Ruby framework, ensure that all user-supplied input is validated and sanitized. Use the built-in mechanisms for parameterized queries provided by the framework, such as variables in GraphQL queries, to prevent attackers from injecting arbitrary NoSQL code. Additionally, employ proper access control checks to restrict data access and operations based on user permissions. Regularly update the GraphQL Ruby framework and its dependencies to incorporate security fixes. Consider using an allowlist approach for query complexity and depth to prevent abusive queries. Implement monitoring and logging to detect and respond to suspicious activities promptly.

Hasura

To prevent NoSQL injection attacks in the Hasura framework, ensure that all user-supplied input is validated and sanitized. Use prepared statements with variable binding for GraphQL queries. Additionally, implement strict access controls and permission rules to limit the exposure of sensitive data. Regularly review and update security policies to keep up with emerging threats.

Agoo

Validate and sanitize all user inputs, and use parameterized queries in the Agoo framework to prevent NoSQL injection vulnerabilities.

Ariadne

Implement input validation and sanitization in the Ariadne framework engine to prevent NoSQL injection by ensuring that user inputs are properly escaped and do not alter the intended database queries.

Caliban

Validate and sanitize all user inputs to prevent NoSQL injection in the Caliban framework engine. Use parameterized queries and avoid directly embedding user input in database queries.

Dgraph

Implement input validation and sanitization to prevent NoSQL injection in the Dgraph framework by ensuring that user inputs are properly escaped and validated before being used in database queries.

Dianajl

Implement input validation and sanitization to prevent NoSQL injection in the dianajl framework engine by ensuring that user inputs are properly checked and sanitized before being used in database queries.

Directus

Implement input validation and sanitization for all user inputs in the Directus framework, and use parameterized queries to prevent NoSQL injection vulnerabilities.

Flutter

Validate and sanitize all user inputs to prevent NoSQL injection vulnerabilities in Flutter applications. Use secure coding practices and libraries that support parameterized queries to ensure that user inputs are not directly executed as code.

Graphene

Validate and sanitize all user inputs and use parameterized queries in the Graphene framework to prevent NoSQL injection vulnerabilities.

Graphqlapiforwp

Implement input validation and sanitization for all user inputs in the GraphQL API for WP framework to prevent NoSQL injection vulnerabilities.

Graphqlgophergo

Implement input validation and sanitization for all user inputs in the GraphQL queries, and use parameterized queries to prevent NoSQL injection in the Gopher framework.

Graphqljava

Validate and sanitize all user inputs, and use parameterized queries to prevent injection attacks in GraphQL queries with graphql-java.

Graphqlphp

Validate and sanitize all user inputs in GraphQL queries to prevent NoSQL injection. Use parameterized queries and avoid directly embedding user inputs in database queries. Implement strict schema validation and limit query depth and complexity to reduce the risk of injection attacks.

Graphqlyoga

Validate and sanitize all user inputs in GraphQL queries to prevent NoSQL injection vulnerabilities. Use libraries like graphql-yoga's built-in validation mechanisms to ensure that only expected and safe queries are executed. Additionally, implement authentication and authorization checks to restrict access to sensitive data and operations.

Hypergraphql

Validate and sanitize all user inputs to prevent injection attacks in the HyperGraphQL framework engine.

Jaal

Implement input validation and sanitization in the Jaal framework engine to prevent NoSQL injection by ensuring that user inputs are properly checked and cleaned before being used in database queries.

Juniper

Implement input validation and sanitization to prevent NoSQL injection in the Juniper framework engine by ensuring that user inputs are properly validated and sanitized before being used in database queries.

Lacinia

Validate and sanitize all user inputs to prevent NoSQL injection in the Lacinia framework engine. Use parameterized queries and avoid directly embedding user input in database queries.

Lighthouse

Implement input validation and sanitization to prevent malicious code execution in the Lighthouse framework engine.

Mercurius

Implement input validation and sanitization in the Mercurius framework engine to prevent NoSQL injection by ensuring that user inputs are properly escaped and do not contain malicious code.

Morpheusgraphql

Implement input validation and sanitization in MorpheusGraphQL to prevent NoSQL injection by ensuring that user inputs are properly validated and sanitized before being processed by the database engine.

Qglgen

Validate and sanitize all user inputs in the gqlgen framework to prevent NoSQL injection. Use parameterized queries and avoid directly embedding user input in database queries.

Sangria

Validate and sanitize all user inputs to prevent NoSQL injection in the Sangria framework engine.

Shopify

Implement input validation and sanitization to prevent NoSQL injection in the Shopify framework. Use parameterized queries and avoid directly incorporating user input into database queries. Regularly update dependencies and apply security patches to minimize vulnerabilities.

Stepzen

Implement input validation and sanitization in the StepZen framework to prevent NoSQL injection by ensuring that user inputs are properly checked and sanitized before being used in database queries.

Strawberry

Implement input validation and sanitization in the Strawberry Framework engine to prevent NoSQL injection by ensuring that user inputs are properly escaped and validated before being used in database queries.

Tartiflette

Validate and sanitize all user inputs in the Tartiflette framework to prevent NoSQL injection vulnerabilities. Use parameterized queries and avoid directly embedding user inputs in database queries.

Wpgraphql

Implement input validation and sanitization for all user inputs in the wpgraphql framework to prevent NoSQL injection vulnerabilities. Use parameterized queries and avoid directly incorporating user inputs into database queries.

Configuration¶

Identifier: injection/nosql_stored

Options¶

skip_objects : List of object that are to be skipped by the security test.

Examples¶

Ignore this check¶

checks:
  injection/nosql_stored:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API9:2023
OWASP LLM: LLM06:2023
pci: 6.5.1
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: AC-6

Classification¶

CWE: 943

Score¶

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
CVSS_SCORE: 9.4

References¶

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection