Huy's Notes
NoSQL Injection

NoSQL Injection

#owasp #security #database

NoSQL databases does not use SQL to perform queries, but it still uses user's input to perform actions, so it also vulnerable to attack if input sanitization is not properly performed.

For example, if you're using MongoDB and you're writing a user authentication feature, to verify a user login credentials, you query the DB by some query like this:

const query = {
    username: req.body.username,
    password: req.body.password
}

User.find(query, (err, user) => {
    if (err) {
        // login failed
    } else {
        // login success
    }
});

This query seems fine, but if an attacker know the fact that you're using MongoDB, they can ultilize its query language to bypass password checking by sending some query data like this:

{
    "username": "victim",
    "password": {"$ne": 1}
}

Even worst, some NoSQL databases like MongoDB are tightly integrated with the languages like JavaScript, it supports evaluation of JavaScript code in some context, if user's input is not handled properly, the attacker could be able to execute harmful code within your server application.

To protecting against NoSQL injection attacks, there are various things you can do:

  • Always sanitize user's input to escape dangarous characters
  • Using typed input instead of plain strings in queries
  • Minimizing privileges of the application
  • Disable JavaSCript evaluation for databases like MongoDB if possible
  • ...

References:

  • Null Sweep - A NoSQL Injection Primer (with Mongo)

Referred in


If you think this note resonated, be it positive or negative, please feel free to send me an email and we can talk.