How to scan for MongoDB injection vulnerabilities – and how to fix them | Gen Tech

As a part of our current work on detecting NoSQL injection vulnerabilities with Invicti, we developed and added safety checks for MongoDB injection. This put up reveals the right way to scan for MongoDB injection vulnerabilities with Invicti, the right way to analyze vulnerability studies, and the right way to repair reported vulnerabilities.

What are MongoDB injection vulnerabilities?

MongoDB is by far the preferred NoSQL database and presently the fifth hottest database engine general (in response to the DB-Engines rating). Used alongside Specific, Angular, and Node.js, it’s the basis of the MEAN software program stack for constructing full-stack JavaScript net purposes. Technically, it’s a doc database kind that shops its paperwork in JSON format.

Much like conventional SQL injection, MongoDB injection assaults depend on unsanitized consumer enter and are carried out by getting into payloads that modify MongoDB queries. There are two primary varieties of MongoDB injections: injecting MongoDB key phrases right into a weak PHP utility and injecting JavaScript into MongoDB queries. You will discover an summary of MongoDB injection strategies in a earlier weblog put up on NoSQL injection, however here’s a fast recap.

MongoDB injection into PHP purposes

MongoDB injection in PHP purposes exploits the way in which that PHP converts associative arrays to inject MongoDB operators. As a fast instance with the $ne (not equals) operator, let’s say now we have a PHP utility that receives a parameter like title=check. PHP converts this to the array "title":"check". If we are able to inject the parameter as title["$ne"]=check, PHP will convert the entire thing to "title": "$ne":check. When despatched to MongoDB as a question, this can now return all data whose title shouldn’t be equal to check (due to the $ne operator).

JavaScript injection into MongoDB queries

MongoDB permits JavaScript expressions in some queries. When unsanitized consumer enter is handed on to the $the place question operator, attackers could possibly inject malicious JavaScript into database queries. Solely a restricted subset of JavaScript properties and capabilities could be injected, however that is fairly sufficient for a helpful assault – for instance, you possibly can entry the sleep() operate for time-based assaults.

Getting ready the scanner to check for MongoDB injection vulnerabilities

As a result of MongoDB is the back-end database for thus many trendy net purposes, NoSQL injection can now be simply as harmful as SQL injection. To assist organizations discover and remediate MongoDB injection vulnerabilities, now we have added absolutely automated safety checks for these vulnerabilities to Invicti merchandise. We’ll undergo the next steps to reveal how one can simply determine and repair such safety defects: 

  • Arrange a weak utility for testing (NodeGoat)
  • Run a scan with Invicti Normal
  • Analyze the vulnerability report
  • Observe down the vulnerability in utility code
  • Remediate the vulnerability and observe finest practices to keep away from related points sooner or later

Establishing the check setting

As our demo setting, we are able to use NodeGoat – a weak Node.js utility from OWASP that makes use of MongoDB. You will discover extra details about the NodeGoat venture on the OWASP website. Establishing the appliance is a matter of issuing just a few docker-compose instructions:

git clone
docker-compose construct
docker-compose up

If all goes properly, after executing these instructions, the NodeGoat utility needs to be accessible at http://[YOUR-IP-ADDRESS]:4000.

After accessing the appliance, we are able to create a brand new consumer on the primary web page:

The appliance is now able to scan. To arrange and run the scan, we’ll use Invicti Normal. For detailed details about scanning, see our assist web page on MongoDB injection checks.

MongoDB injection checks can be found in Invicti Normal variations later than and in Invicti Enterprise on-demand since October 2022.

Making a scan profile

For this straightforward check website, all we have to do to create a scan profile is to set the goal URL and allow type authentication: 

Choosing the scan coverage

The subsequent step is to pick out the MongoDB injection safety checks we wish to run. For blind MongoDB injections, choose MongoDB Injection (Blind) underneath the NoSQL Injection safety verify group:

To verify for error-based MongoDB injections, choose MongoDB Injection (Error-Based mostly) underneath the NoSQL Injection safety verify group:

Discovering and fixing MongoDB injection vulnerabilities

With the setup achieved, now you simply hit the Scan button and look at the outcomes. As a dynamic utility safety testing (DAST) resolution, Invicti probes the appliance from the skin by sending requests that embody check assault payloads. The place potential, the scanner makes an attempt to soundly exploit vulnerabilities to show they’re actual. We’ll take a look at a MongoDB injection vulnerability report, discover the insecure utility code, remediate the problem, and retest to ensure it’s fastened.

Understanding scan outcomes

The NodeGoat utility has a deliberate MongoDB injection vulnerability underneath the allocations listing within the threshold parameter. Relying on which MongoDB injection safety verify is chosen, Invicti will report this vulnerability both as a blind MongoDB injection or an error-based MongoDB injection. For blind MongoDB injection, Invicti can even try to substantiate the vulnerability by extracting the model variety of the MongoDB occasion utilized by the appliance. When profitable, this shall be reported within the Proof of Exploit part of the vulnerability report:

When detected utilizing checks for error-based MongoDB injections, the identical vulnerability is reported as follows:

Analyzing the vulnerability

Now that we all know now we have a vulnerability, we have to discover precisely the place it’s, how the assault payload will get by way of, and the way we are able to repair the problem. Within the anticipated utilization of the weak web page, the consumer enters an integer and the appliance shows all the consumer’s inventory that’s presently valued above that threshold. Right here is an instance of output for the present consumer:

After scanning the appliance with Invicti, we now know that the Allocations web page is weak to NoSQL injections into the threshold parameter. We are able to affirm this manually by getting into this straightforward payload that ought to checklist asset allocations for all customers:

threshold=1'; return '1' == '1

As you possibly can see under, the injection works and we are able to now see inventory information for all utility customers within the output, not solely our check consumer:

Within the supply code of the NodeGoat utility, this vulnerability is launched within the allocations-dao.js file referenced by allocations.js within the app/routes folder. Let’s undergo the method of isolating this particular file based mostly on the vulnerability report.

We are able to begin by checking server.js within the root folder. This file is the place the NodeGoat utility begins and the place we are able to see which config file is used and which recordsdata are referenced. We are able to shortly uncover that the ./app/routes folder is referenced as routes on line 16, so we are able to proceed checking app/routes to seek out the weak code: 

Beneath, you possibly can see the construction of the ./app/routes folder: 

The index.js file defines which URL is routed to which file. In line 5 of index.js under, we are able to see the allocations.js file is assigned to AllocationsHandler. This line is essential and price checking as a result of, from the vulnerability studies, we all know that the vulnerability is underneath http://[ipaddress]:4000/allocations/:id:.

Trying on the allocations.js file underneath ./app/routes, we are able to see that it takes userid and threshold as parameters after which calls the getByUserIdAndThreshold() methodology from the file allocations-dao.js within the ./app/information folder:

Lastly, within the allocations-dao.js file, we are able to seek for the getByUserIdAndThreshold() methodology to see what it does. Instantly, you possibly can see that the MongoDB question makes use of the $the place operator, which is an on the spot crimson flag (as defined earlier). Unsurprisingly, we are able to additionally see that the enter parameters are immediately used within the question with none validation or sanitization:

Now that we’ve discovered the foundation reason for the vulnerability, let’s see the right way to repair the problem and keep away from it sooner or later by following finest practices.

Find out how to repair MongoDB injection vulnerabilities

For those who take a look at the vulnerability report delivered by Invicti, you will notice the next remediation steerage for MongoDB injection vulnerabilities:

  • Sanitize and strictly verify the kind of user-supplied enter.
  • Keep away from utilizing $the place, mapReduce, or $group together with consumer enter.
  • If potential, set the javascriptEnabled flag to false in mongod.conf.
  • Use the latest model of MongoDB.

Let’s undergo these suggestions to repair the vulnerability after which retest to see whether it is actually fastened.

Sanitizing user-controlled inputs

All injection assaults are made potential by unsanitized inputs, so that is the place all remediation ought to begin. For the reason that NodeGoat utility was created by OWASP for instructional functions, it already features a remediation methodology. Trying on the allocations-dao.js file within the screenshot under, you possibly can see the repair steered within the remark (in blue):

The steered resolution focuses on enter sanitization and validation by casting the threshold parameter to an integer after which checking whether it is between 0 and 99. See the documentation of the parseInt() operate to be taught extra about integer casting. To use this repair, merely uncomment it whereas commenting out the weak code. The code ought to now appear to be this (be aware the uncommented part between traces 70 and 75):

Avoiding insecure MongoDB operators and instructions

Even with validated enter, you possibly can see that the appliance nonetheless makes use of the $the place operator within the question, which isn’t a safe observe when working with user-controlled inputs. To treatment this, we are able to write a greater and safer question. After somewhat search, we are able to recreate the question with out utilizing the $the place operator. In line 74 of the allocations-dao.js file under, you possibly can see the brand new question:

Disabling JavaScript in MongoDB configuration

If your utility doesn’t use or want JavaScript in MongoDB queries, it is best to disable JavaScript in mongod.conf utilizing MongoDB configuration choices. The javascriptEnabled possibility is true by default. When set to false, it disables all operations that carry out server-side JavaScript execution, comparable to $the place, mapReduce, $accumulator, and $operate. In a default set up, mongod.conf is positioned within the /and so forth folder. To make the change, merely append javascriptEnabled: false to the safety part of the configuration file and restart the mongod service.

All the time utilizing the latest model

As a common safety finest observe, it is best to all the time use the most recent safe variations of all software program wherever potential. Particularly for MongoDB, which had some critical safety points in early variations, utilizing the most recent model is essential to stop your utility from being weak to already revealed vulnerabilities. See the MongoDB model historical past to learn the way the database has advanced.

Retesting to ensure the vulnerability is fastened

After making use of all of the remediation steps, we could be fairly assured that the vulnerability is fastened – however testing is the one approach to make sure. To verify if we resolved the vulnerability, we are able to merely scan the appliance once more with Invicti Normal utilizing the identical coverage and profile. As you possibly can see, this time no outcomes are returned for MongoDB injection safety checks, so the vulnerability was not detected:


MongoDB databases are a crucial a part of the trendy net, but automated safety testing instruments for NoSQL databases are nonetheless far much less mature than for relational databases. To deal with this, Invicti options can now detect when purposes are weak to MongoDB injections. Relying on the kind of safety verify, the scanner can routinely affirm many such vulnerabilities by safely extracting model data from the MongoDB database. 

Profitable NoSQL injection assaults could be simply as harmful as SQL injection, probably permitting attackers to learn, change, or delete information and gather delicate details about the system. Understanding the best safe growth practices for working with MongoDB is as essential as usually testing your purposes for safety points. Hopefully, this put up has proven that there are numerous methods to repair MongoDB injection vulnerabilities and keep away from them sooner or later – and that with the best instruments, you possibly can check and retest your purposes as usually as you want.

How to scan for MongoDB injection vulnerabilities – and how to fix them