Injection: NoSQL Injection Stored¶

Identifier: nosql

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

NoSQL injection vulnerabilities occur when applications build NoSQL queries using untrusted user input, allowing attackers to manipulate queries and potentially access or modify sensitive data.

How we test: We inject NoSQL injection payloads into request parameters and analyze responses to detect if NoSQL queries are executed. We test for various NoSQL injection techniques including MongoDB, CouchDB, and other NoSQL database-specific attacks, and check if user input is properly validated before being used in database queries.

Prerequisites:

The target must expose request parameters that can be safely tested.
Response analysis requires non-empty responses that can be compared against the baseline behavior.

References:

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection

Configuration¶

Example¶

Example configuration:

---
security_tests:
  nosql:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.