Injection: NoSQL Injection¶

Identifier: nosql

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

NoSQL injection happens when an attacker tricks your application into running harmful database commands by inserting malicious code in user input. Instead of treating data as just plain values, the application builds queries that the attacker can manipulate. This can let an attacker see or change sensitive data, disrupt your system, or even take control of your database. Developers often fall into the trap of assuming that document-based queries are safe by default, so not validating or sanitizing input properly leads to these kinds of vulnerabilities.

References:

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection

Configuration¶

Example¶

Example configuration:

---
security_tests:
  nosql:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.