Open in app

Sign in

Write

Sign in

NoSQL Injection

Hetaram Prajapati
3 min readJan 13, 2021

What is NoSQL injection? How it is working? How to prevent it?

What is NoSQL injection?

A NoSQL injection vulnerability is an error in a web application that uses a NoSQL database. This web application security issue lets a malicious party bypass authentication, extract data, modify data, or even gain complete control over the application. NoSQL injection attacks are the result of a lack of data sanitization.

NoSQL injections are just one of many injection attacks, similar to traditional SQL Injections. They are engineered to exploit modern databases that do not use SQL. The term NoSQL (not only SQL) is used to describe databases that use a less rigid structure and may refer to many different types of databases, including those that use models such as key-value, key-document, column-family, or graph.

How it works?

If no proper handling is done for NoSQL Injection then malicious party can pass some query part as input to any API. We will understand it with example.

If we pass the body in above code snippet which we can see in below image.

We can see in the above image for email and password we have passed query. Now can you guess what we will get?

In above image we can see which query get fired and what result we got. So we can see if we miss to handle NoSQL Injection then malicious party can take control of users account. I know in real project we will have encryption which also can help to prevent such issues. Here I have shown it to just explain the NoSQL Injection concept.

How to prevent it?

We have multiple ways to prevent it.

  • Try to avoid building queries from strings, use safe APIs and prepared statements.
  • Validate input to detect malicious values, also verify the types of input data i.e. string, number, Boolean, object etc. We can use joi or any other tool for this.
  • To minimize the potential damage of a successful injection attack, do not assign DBA or admin type access rights to your application accounts, we can create new roles with specific/limited access.
  • Sanitize the data, we can use express-mongo-sanitize to sanitize incoming data for express mongoDB.

I am showing two example below to prevent NoSQL injection.

Example 1: Using joi

Here we can see when we are passing the same input body as we have passed last time which we can see in above image we are getting error as per below image.

So this time user will not get access to the system with NoSQL Injection.

Example 2: Using express-mongo-sanitize

Here in above code snippet we have imported express-mongo-sanitize at line number 3 and at line number 12 we have used it.

So now if we pass the input body without using any validation i.e. joi validation, we will still get error which we can see in below image.

Conclusion

We have understand what is NoSQL injection, how it works and how to prevent it. You can find complete code on the github. I have commented app.use(mongoSanitize()) in code on github, you can uncomment it after downloading code if needed.

Nosql Injection
Secure Development

--

--

Hetaram Prajapati

Written by Hetaram Prajapati

42 Followers

I am a technology enthusiast software developer with 3+ years of experience working with Angular, NodeJS, MongoDB, Java, Spring Boot.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams