Input Validation / NoSQL Injection

Description

NoSQL Injection is a type of injection attack that targets NoSQL databases such as MongoDB and CouchDB. In this attack, an attacker injects malicious code into a NoSQL query and can gain access to sensitive data. According to the CWE directory, NoSQL Injection is classified as CWE-918 and is a type of Input Validation vulnerability. NoSQL Injection is often encountered in web and API applications, where malicious code is inserted into user input such as a URL parameter or form field.

Risk

NoSQL Injection can allow an attacker to access sensitive information and data from a NoSQL database. This can lead to data exfiltration, which can have serious consequences in terms of data privacy and intellectual property. According to the OWASP Testing Guide, NoSQL Injection is classified as a high-risk vulnerability and is usually found in applications with a high level of user input and dynamic content.

Solution

The most effective way to protect against NoSQL Injection is to use proper input validation. This can be done using a white-list or a blacklist approach. The white list approach will only allow known good data to pass through while the blacklist approach will block known bad data. It is also important to sanitize user input, as this can prevent malicious code from being inserted into the database. Additionally, it is important to use stored procedures and parameterized queries to protect against NoSQL Injection.

Example

In the following example, an attacker is able to bypass the input validation check and inject malicious code into the NoSQL query.

String query = "SELECT * FROM users WHERE name = '" + userName + "'";

The code above does not perform any input validation and allows an attacker to inject malicious code into the query. The malicious code can be added via the userName parameter, which is then passed directly into the query without any validation.