A NoSQL injection vulnerability occurs when users can insert (or “inject”) malicious NoSQL code in a legit SQL query that is built from user-submitted input. A successful NoSQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database (such as shutting down the DBMS), recover the content of a given file from the DBMS file system and in some cases issue commands to the operating system.
The main principle of the remediation is to escape user input properly:
- Allow-list input validation.
- Escaping all user supplied input.
- skip_objects : List of object that are to be skipped by the security test.
Ignore this check
- Escape Severity: HIGH
- OWASP: API9:2023
- PCI DSS: 6.5.1
- WASC: WASC-19
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
- CVSS_SCORE: 9.4