MongoDB Injection (NoSQLI injection)
Test name: MongoDB Injection
Test ID: nosqli
| Summary |
|---|
NoSQL injection (NoSQLi) is a security vulnerability that occurs when an attacker is able to inject malicious input into a NoSQL database query. NoSQL databases, such as MongoDB is non-relational databases that store and retrieve data in flexible formats like JSON. NoSQLi exploits can lead to unauthorized data access, data manipulation, or even complete control over the affected database.
| Impact |
|---|
NoSQLi takes advantage of improper input validation or inadequate query construction. Attackers craft malicious payloads using NoSQL query operators or syntax, which, when executed, can modify the original intent of the query.
Some possible outcomes include:
- Unauthorized data access
- Data manipulation
- Data exfiltration
- Denial of service (DoS)
- Privilege escalation
- Lateral movement
| Location |
|---|
Source code of the client.
| Remedy suggestions |
|---|
To prevent NoSQLi, developers should implement proper input validation, use parameterized queries or prepared statements, employ least privilege access controls, and keep software up-to-date with the latest security patches.
| Classifications |
|---|
- CWE-943
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| References |
|---|
Updated 5 months ago