NoSQL Injection¶
Overview¶
If a database query is derived from user input, an attacker is likely to be able to run malicious database queries.
Recommendation¶
In the case of MongoDB: don't derive your BSON queries directly from user input— always use your client library's supported method for safely building queries.
As an additional layer of security, consider running your MongoDB with server-side javascript disabled via --noscripting (unless, of course, you specifically need server-side javascript!). Although this doesn't prevent injection attacks, it significantly limits their potential severity.