What is a NoSQL injection vulnerability?

NoSQL databases (also known as non-relational) do not use SQL for queries. There are a variety of different types of NoSQL databases, such as:

  • Key-Value
  • Key-Document
  • Column-Family
  • Graph

NoSQL was designed in response to flexible design methodologies. Relational databases (SQL) require pre-defined schemas and do not allow updates when the data is already in the database. Adding new fields requires moving the database to a new format, which can be time consuming.

NoSQL attack

While NoSQL databases, such as MongoDB, do not use SQL for queries, they still query based on user input.

The main difference between SQL and NoSQL injection is the grammar and syntax of the query. NoSQL databases do not have a standard language. However, the syntax of their languages ​​is similar (since they are designed to do the same thing).

One NoSQL injection application is σε εφαρμογές web που έχουν δημιουργηθεί στη στοίβα MEAN (MongoDB, Express, Angular και Node). Κατά τη διαβίβαση δεδομένων, οι εφαρμογές MEAN χρησιμοποιούν το JSON, το οποίο είναι το ίδιο πράγμα που χρησιμοποιείται από το MongoDB. Η διείσδυση κώδικα JSON σε μια εφαρμογή MEAN μπορεί να επιτρέψει επιθέσεις injection σε μια βάση δεδομένων MongoDB.

For example, the above screenshot (from NullSweep ) shows an application that is vulnerable to NoSQL. From a request, the code pulls a username and password and puts it into a MongoDB query. By passing the JSON {“username”: “myaccount”, “password”: {“$ne”: 1}} , an attacker could control to the service without a password.

MongoDB and other NoSQL databases are commonly used in web applications. For example, a website might request user account credentials on a web form, store authentication information in a MongoDB database, and perform credential checks using JavaScript.

Strict integration of MongoDB in JavaScript and other programming languages ​​means that NoSQL attacks can be used to execute attacks at other levels. A NoSQL injection attack that includes JavaScript code will allow this code to be executed within the web application.


NoSQL injection protection against attacks

NoSQL injection attacks are very similar to SQL injection attacks: they exploit the poor resolution of user input when creating database queries. This means that the same tools for protection against SQL injection attacks also work for NoSQL, such as:

NoSQL databases are still databases, which means that it is often important to run queries using user-provided data. As with SQL databases, it is important to ensure that the information is properly disinfected before using it in a query to minimize the vulnerability of an application to injection attacks.



  1. Foreword, OWASP
  2. 2019 CWE Top 25 Most Dangerous Software Errors, Common Weakness Enumeration
  3. NoSQL Databases Explained, MongoDB
  4. NoSQL Injection, RangeForce (Medium)
  5. A NoSQL Injection Primer (with Mongo), NullSweep

iGuRu.gr The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).