Skip to main content

NoSQL Injection Stored

Description​

A NoSQL injection vulnerability occurs when users can insert (or β€œinject”) malicious NoSQL code in a legit SQL query that is built from user-submitted input. A successful NoSQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database (such as shutting down the DBMS), recover the content of a given file from the DBMS file system and in some cases issue commands to the operating system.

Remediation​

Primary defenses:

  • Use a sanitization library.
  • Cast the inputs to the expected type (eg: The username and password are strings so cast the variables to a string).
  • Never use where, mapReduce, or group operators with user input: they allow the attacker to inject JavaScript and are therefore much more dangerous than others. For extra safety, set javascriptEnabled to false in mongod.conf (if using mongoDB).
  • Enforce Least Privilege.

GraphQL Specific​

Apollo

To mitigate NoSQL injection vulnerabilities in the Apollo framework, ensure that all user-supplied input is validated and sanitized. Use parameterized queries or the built-in filtering and parameterization features provided by the database driver or ORM. Avoid directly concatenating or interpolating user input into database queries. Implement proper access controls and regularly audit your codebase for security issues.

Yoga

To prevent NoSQL injection attacks in the Yoga framework engine, ensure that all database queries are constructed using parameterized queries or prepared statements. Avoid concatenating user input directly into database queries. Validate and sanitize all user inputs to ensure they conform to expected formats. Implement proper error handling to prevent the disclosure of database structures. Regularly review and update security measures in line with best practices.

Awsappsync

To mitigate NoSQL injection vulnerabilities in AWS AppSync, ensure that all user-supplied input is validated and sanitized. Use AWS AppSync's built-in VTL (Velocity Template Language) resolvers to parameterize data access in resolvers, and avoid directly passing user input to NoSQL queries. Implement strict type checking and input validation using AppSync's schema definition. Additionally, employ AWS WAF (Web Application Firewall) to filter out malicious requests and regularly update your security rules to protect against emerging threats.

Graphqlgo

To mitigate NoSQL injection vulnerabilities in a GraphQL Go framework engine, ensure that all user-supplied input is properly sanitized and validated. Use parameterized queries or prepared statements to handle data input, and avoid directly concatenating or interpolating user input into database queries. Additionally, implement proper access control checks and adhere to the principle of least privilege when accessing the database. Regularly review and update your security practices to protect against emerging threats.

Graphqlruby

To mitigate NoSQL injection vulnerabilities in a GraphQL Ruby framework, ensure that all user-supplied input is validated and sanitized. Use the built-in mechanisms for parameterized queries provided by the framework, such as variables in GraphQL queries, to prevent attackers from injecting arbitrary NoSQL code. Additionally, employ proper access control checks to restrict data access and operations based on user permissions. Regularly update the GraphQL Ruby framework and its dependencies to incorporate security fixes. Consider using an allowlist approach for query complexity and depth to prevent abusive queries. Implement monitoring and logging to detect and respond to suspicious activities promptly.

Hasura

To prevent NoSQL injection attacks in the Hasura framework, ensure that all user-supplied input is validated and sanitized. Use prepared statements with variable binding for GraphQL queries. Additionally, implement strict access controls and permission rules to limit the exposure of sensitive data. Regularly review and update security policies to keep up with emerging threats.

Configuration​

Identifier: injection/nosql_stored

Options​

  • skip_objects : List of object that are to be skipped by the security test.

Examples​

Ignore this check​

checks:
  injection/nosql_stored:
    skip: true

Score​

  • Escape Severity: HIGH

Compliance​

  • OWASP: API9:2023

  • pci: 6.5.1

  • gdpr: Article-32

  • soc2: CC6

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-6

Classification​

  • CWE: 943

Score​

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
  • CVSS_SCORE: 9.4

References​