NoSQL Injection

Overview

If a database query is derived from user input, an attacker is likely to be able to run malicious database queries.

Recommendation

In the case of MongoDB: don't derive your BSON queries directly from user input— always use your client library's supported method for safely building queries.

As an additional layer of security, consider running your MongoDB with server-side javascript disabled via --noscripting (unless, of course, you specifically need server-side javascript!). Although this doesn't prevent injection attacks, it significantly limits their potential severity.

Examples

References