Injection: NoSQL Injection Stored¶

Identifier: nosql_stored

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

Stored NoSQL injection happens when user input isnt properly checked and ends up being saved into a database query, essentially letting attackers embed harmful NoSQL commands into parts of your application. This can let them not just read data they shouldnt have access to but also modify or wipe out important data, potentially even interfering with system operations. Developers often make this mistake by trusting input too much, forgetting to thoroughly sanitize or validate it before using it in database queries. The risk is that once the malicious code is stored, it can be repeatedly used to compromise the system, which is why proper input handling and secure query methods are so important.

References:

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection

Configuration¶

Example¶

Example configuration:

---
security_tests:
  nosql_stored:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.