NoSQL Injection in NodeJS

Prevention

NodeJS frameworks with MongoDB

The field types should either be validated, or can be explicitly cast e.g. the name of the example can be cast to the string {"name": String(req.body.name)}.

Express uses the “qs” package, which parses querystrings as objects, allowing the exploitation of the vulnerable parameters.

There are also libraries, such as mongo-sanitize that perform appropriate filtering and sanitization of data.

References

CWE-943 - Improper Neutralization of Special Elements in Data Query Logic NPM - mongo-sanitize OWASP - NoSQL Injection