NoSQL Injection - MongoDB (Time Based)

ID

nosql_injection_mongodb_time_based

Severity

critical

Kind

Injection

CWE

943

Description

This detector identifies MongoDB NoSQL injection vulnerabilities using time-based blind injection techniques. It checks whether user-controlled input is directly incorporated into MongoDB queries without proper validation, allowing attackers to manipulate query logic by injecting malicious operators or JavaScript code.

Rationale

NoSQL injection in MongoDB allows attackers to bypass authentication, extract sensitive data, or manipulate database operations by injecting malicious query operators like $ne, $gt, or JavaScript expressions. Attackers can use time-based techniques to infer data character by character when direct output is not available. In authentication contexts, injecting {"$ne": null} can bypass password checks entirely. Successful exploitation can lead to complete database compromise, including unauthorized data access, modification, or deletion.

Remediation

Do not trust client side input and escape all data on the server side. Avoid to use the query input directly into the where and group clauses and upgrade all drivers at the latest available version.

References