Skip to main content

NoSQL Injection

Description​

A NoSQL injection vulnerability occurs when users can insert (or β€œinject”) malicious NoSQL code in a legit SQL query that is built from user-submitted input. A successful NoSQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database (such as shutting down the DBMS), recover the content of a given file from the DBMS file system and in some cases issue commands to the operating system.

Remediation​

The main principle of the remediation is to escape user input properly:

  • Allow-list input validation.
  • Escaping all user supplied input.

GraphQL Specific​

Apollo

To prevent NoSQL injection in Apollo framework, ensure that all user-supplied input is validated and sanitized. Use parameterized queries with the appropriate data binding methods provided by the database driver or ORM. Avoid constructing queries with string concatenation. Implement proper access controls and regularly update the Apollo server and any underlying database packages to patch known vulnerabilities.

Yoga

To prevent NoSQL injection in the Yoga framework engine, ensure that all database queries are constructed using parameterized queries or prepared statements. Avoid concatenating user input directly into database queries. Validate and sanitize all user inputs to remove malicious injection payloads. Additionally, implement proper access controls and use the principle of least privilege to minimize the potential impact of any successful injection attack.

Awsappsync

To mitigate NoSQL injection vulnerabilities in AWS AppSync, ensure that all user-supplied input is validated and sanitized. Use AWS AppSync's built-in support for parameterized resolvers and the VTL (Velocity Template Language) to safely handle user input. Avoid directly concatenating user input into queries or filter expressions. Implement strict input validation routines to check for expected data types and patterns. Additionally, employ AWS IAM policies and AppSync's fine-grained access control mechanisms to restrict access to underlying data sources and limit the potential impact of a successful injection attack.

Graphqlgo

To mitigate NoSQL injection vulnerabilities in a GraphQL Go framework engine, ensure that all user-supplied input is properly sanitized and validated. Use parameterized queries or prepared statements to handle data input, and employ a library that provides built-in protection against injection attacks. Additionally, implement proper access controls and regularly audit your code for potential injection flaws.

Graphqlruby

In the GraphQL Ruby framework, to prevent NoSQL injection attacks, ensure that all user-supplied input is validated and sanitized. Use the built-in mechanisms for parameterized queries and arguments to avoid directly interpolating variables into queries. Additionally, employ proper access control checks and adhere to the principle of least privilege when designing your schema and resolvers.

Hasura

To prevent NoSQL injection in Hasura, ensure that all GraphQL queries and mutations are constructed using parameterized arguments rather than string concatenation. Additionally, apply strict input validation, use Hasura's permission system to restrict data access, and regularly update Hasura to incorporate security fixes.

REST Specific​

Asp_net

To prevent NoSQL injection in ASP.NET applications, use parameterized queries with ORM frameworks like Entity Framework, which automatically handle the use of parameters. Avoid building queries with string concatenation, and validate and sanitize all user input. Implement proper error handling to prevent leakage of database information in error messages. Additionally, apply the principle of least privilege by restricting database permissions for application users.

Ruby_on_rails

In Ruby on Rails, prevent NoSQL injection by using parameterized queries with the ActiveRecord ORM, which ensures that user input is treated as data rather than executable code. Additionally, avoid directly passing user input to methods that perform database operations, and implement input validation to sanitize and verify the data before it's used in a query.

Next_js

In the Next.js framework, to prevent NoSQL injection attacks, ensure that all database queries are constructed using parameterized queries or prepared statements. Avoid concatenating or interpolating user input directly into queries. Utilize libraries that provide built-in protection against injection, and always validate and sanitize user input to enforce the expected data type and format. Additionally, implement proper access controls and regularly audit your code for security vulnerabilities.

Laravel

In Laravel, to prevent NoSQL injection attacks, always use Eloquent ORM or the query builder's parameter binding feature to handle your database queries. Avoid raw queries or constructing queries with user input directly. When using Eloquent, leverage its built-in protection against injection by utilizing model binding and mass assignment protection. Additionally, validate and sanitize all user inputs using Laravel's validation features to ensure that the data conforms to expected formats before it is used in any database query.

Express_js

In Express.js applications using NoSQL databases like MongoDB, prevent NoSQL injection attacks by using parameterized queries with libraries such as Mongoose, which automatically sanitize input. Avoid constructing queries with string concatenation. Additionally, implement input validation using middleware like express-validator to ensure that the data conforms to expected formats. Regularly update your database drivers and frameworks to incorporate security patches.

Django

In Django, ensure that you use the Django ORM properly to avoid NoSQL injection vulnerabilities. Always use the built-in querysets and avoid directly passing user input into filter() or raw() methods. For instance, instead of using raw string concatenation, leverage the ORM's parameterized query capabilities such as YourModel.objects.filter(field_name=user_input). This ensures that Django will handle the necessary escaping and formatting of inputs. Additionally, validate and sanitize all user inputs to ensure they meet the expected format and type. Regularly update Django to the latest version to benefit from security patches and improvements.

Symfony

In the Symfony framework, to prevent NoSQL injection attacks, use the Doctrine ODM (Object Document Mapper) or ORM (Object Relational Mapper) with parameterized queries or prepared statements. Ensure that all user-supplied input is sanitized and validated before being used in database queries. Additionally, implement proper access controls and use the latest security practices recommended by Symfony's documentation.

Spring_boot

In the Spring Boot framework, to prevent NoSQL injection attacks, it is recommended to use parameterized queries or Spring Data repositories. Avoid constructing queries using string concatenation with user input. Instead, leverage Spring Data's support for query methods, which automatically apply parameter binding and sanitization. For more complex queries, use Criteria API or QueryDSL to ensure that user input is handled safely. Additionally, validate and sanitize all user inputs to ensure they conform to expected formats. Implement proper authentication and authorization checks to restrict access to sensitive data and operations.

Flask

In Flask applications using NoSQL databases, ensure that you use parameterized queries or the equivalent feature provided by the database driver, such as the 'safe' parameter in PyMongo. Avoid constructing queries with string concatenation or interpolation of user-supplied input. Additionally, apply proper input validation, use database-specific escaping functions, and implement access controls to mitigate NoSQL injection risks.

Nuxt

In Nuxt.js applications, to prevent NoSQL injection attacks, ensure that all database queries are constructed using parameterized queries or prepared statements. This approach allows the database to distinguish between code and data, regardless of user input. Additionally, validate and sanitize all user input to remove potential malicious injection code. Implement proper error handling to avoid revealing database structures in error messages. Regularly review and update dependencies to mitigate vulnerabilities in third-party packages. Use security libraries and modules that are designed to protect against injection attacks. Finally, employ a robust authentication and authorization strategy to limit database access.

Fastapi

In FastAPI, to prevent NoSQL injection attacks, ensure that you use a proper database driver that supports parameterized queries or prepared statements. Avoid constructing queries using string concatenation with user input. Instead, leverage the features of the chosen ODM (Object Document Mapper) like motor for MongoDB, which typically provide methods to safely create queries with placeholders for parameters. Additionally, validate and sanitize all user input rigorously to ensure that it conforms to expected formats. Implement proper error handling to avoid revealing sensitive information about the database structure in error messages.

Configuration​

Identifier: injection/nosql

Options​

  • skip_objects : List of object that are to be skipped by the security test.

Examples​

Ignore this check​

checks:
  injection/nosql:
    skip: true

Score​

  • Escape Severity: HIGH

Compliance​

  • OWASP: API9:2023

  • pci: 6.5.1

  • gdpr: Article-32

  • soc2: CC1

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-6

Classification​

  • CWE: 943

Score​

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
  • CVSS_SCORE: 9.4

References​