NoSQL Injection Stored
Description
A NoSQL injection vulnerability occurs when users can insert (or “inject”) malicious NoSQL code in a legit SQL query that is built from user-submitted input. A successful NoSQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database (such as shutting down the DBMS), recover the content of a given file from the DBMS file system and in some cases issue commands to the operating system.
Remediation
Primary defenses:
- Use a sanitization library.
- Cast the inputs to the expected type (eg: The username and password are strings so cast the variables to a string).
- Never use
where
,mapReduce
, orgroup
operators with user input: they allow the attacker to inject JavaScript and are therefore much more dangerous than others. For extra safety, setjavascriptEnabled
to false in mongod.conf (if using mongoDB). - Enforce Least Privilege.
GraphQL Specific
Apollo
To mitigate NoSQL injection vulnerabilities in the Apollo framework, ensure that all user-supplied input is validated and sanitized. Use parameterized queries or the built-in filtering and parameterization features provided by the database driver or ORM. Avoid directly concatenating or interpolating user input into database queries. Implement proper access controls and regularly audit your codebase for security issues.
Yoga
To prevent NoSQL injection attacks in the Yoga framework engine, ensure that all database queries are constructed using parameterized queries or prepared statements. Avoid concatenating user input directly into database queries. Validate and sanitize all user inputs to ensure they conform to expected formats. Implement proper error handling to prevent the disclosure of database structures. Regularly review and update security measures in line with best practices.
Awsappsync
To mitigate NoSQL injection vulnerabilities in AWS AppSync, ensure that all user-supplied input is validated and sanitized. Use AWS AppSync's built-in VTL (Velocity Template Language) resolvers to parameterize data access in resolvers, and avoid directly passing user input to NoSQL queries. Implement strict type checking and input validation using AppSync's schema definition. Additionally, employ AWS WAF (Web Application Firewall) to filter out malicious requests and regularly update your security rules to protect against emerging threats.
Graphqlgo
To mitigate NoSQL injection vulnerabilities in a GraphQL Go framework engine, ensure that all user-supplied input is properly sanitized and validated. Use parameterized queries or prepared statements to handle data input, and avoid directly concatenating or interpolating user input into database queries. Additionally, implement proper access control checks and adhere to the principle of least privilege when accessing the database. Regularly review and update your security practices to protect against emerging threats.
Graphqlruby
To mitigate NoSQL injection vulnerabilities in a GraphQL Ruby framework, ensure that all user-supplied input is validated and sanitized. Use the built-in mechanisms for parameterized queries provided by the framework, such as variables in GraphQL queries, to prevent attackers from injecting arbitrary NoSQL code. Additionally, employ proper access control checks to restrict data access and operations based on user permissions. Regularly update the GraphQL Ruby framework and its dependencies to incorporate security fixes. Consider using an allowlist approach for query complexity and depth to prevent abusive queries. Implement monitoring and logging to detect and respond to suspicious activities promptly.
Hasura
To prevent NoSQL injection attacks in the Hasura framework, ensure that all user-supplied input is validated and sanitized. Use prepared statements with variable binding for GraphQL queries. Additionally, implement strict access controls and permission rules to limit the exposure of sensitive data. Regularly review and update security policies to keep up with emerging threats.
Configuration
Identifier:
injection/nosql_stored
Options
- skip_objects : List of object that are to be skipped by the security test.
Examples
Ignore this check
checks:
injection/nosql_stored:
skip: true
Score
- Escape Severity: HIGH
Compliance
OWASP: API9:2023
pci: 6.5.1
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: AC-6
Classification
- CWE: 943
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
- CVSS_SCORE: 9.4