Skip to main content

NoSQL Injection

Description​

A NoSQL injection vulnerability occurs when users can insert (or β€œinject”) malicious NoSQL code in a legit SQL query that is built from user-submitted input. A successful NoSQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database (such as shutting down the DBMS), recover the content of a given file from the DBMS file system and in some cases issue commands to the operating system.

Remediation​

The main principle of the remediation is to escape user input properly:

  • Allow-list input validation.
  • Escaping all user supplied input.

Configuration​

Identifier: injection/nosql

Options​

  • skip_objects : List of object that are to be skipped by the security test.

Examples​

Ignore this check​

{
"checks": {
"injection/nosql": {
"skip": true
}
}
}

Score​

  • Escape Severity: HIGH
    • OWASP: API9:2023
    • PCI DSS: 6.5.1
    • CWE
      • 89
      • 564
      • 943
    • WASC: WASC-19

CVSS​

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
  • CVSS_SCORE: 9.4

References​