Skip to main content

NoSQL injection

Description

The system generates NoSQL queries dynamically and without validating untrusted inputs.

Impact

Obtain information from the environment by means of malicious statements.

Recommendation

Validate and escape data that will be included in sentences generated dinamically.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 45 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Perform server side validation of user inputs before making NoSQL sentences

MongoClient mongoClient = new MongoClient();
DB db = mongoClient.getDB("test");
boolean auth = db.authenticate(myUserName, myPassword);

//Sanitize user input before querying
static void myMethod(user, searchTerm){
user = cleanUser(user);
if isAllowedTerm(searchTerm){
BasicDBObject searchQuery = new BasicDBObject();
queryResult = db.customer.find({user: cleanUser, info: searchTerm});
System.out.println(queryResult);
}
}

Non compliant code

The application uses user input to make NoSQL sentences without validation

MongoClient mongoClient = new MongoClient();
DB db = mongoClient.getDB("test");
boolean auth = db.authenticate(myUserName, myPassword);

static void myMethod(user, searchTerm){
BasicDBObject searchQuery = new BasicDBObject();
queryResult = db.customer.find({user: user, info: searchTerm});
System.out.println(queryResult);
}

Requirements