NoSQL Injection

High Web Application Scanning Plugin ID 98116


NoSQL Injection


A NoSQL injection occurs when a value originating from the client's request is
used within a NoSQL call without prior sanitisation.

This can allow cyber-criminals to execute arbitrary NoSQL code and thus steal data,
or use the additional functionality of the database server to take control of
further server components.

Scanner discovered that the affected page and parameter are vulnerable. This
injection was detected as scanner was able to discover known error messages within
the server's response.


The most effective remediation against NoSQL injection attacks is to ensure that NoSQL API calls are not constructed via string concatenation that includes unsanitized data.
Sanitization is best achieved using existing escaping libraries.

See Also

Plugin Details

Severity: High

ID: 98116

Type: remote

Family: Injection

Published: 2017/03/31

Updated: 2017/10/16

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Reference Information

CWE: 89

WASC: SQL Injection

OWASP: 2017-A1, 2013-A1, 2010-A1