NoSQL Injection in NodeJS
Prevention
NodeJS frameworks with MongoDB
The field types should either be validated, or can be explicitly cast e.g. the name of the example can be cast to the string {"name": String(req.body.name)}
.
Express uses the “qs” package, which parses querystrings as objects, allowing the exploitation of the vulnerable parameters.
There are also libraries, such as mongo-sanitize that perform appropriate filtering and sanitization of data.
References
CWE-943 - Improper Neutralization of Special Elements in Data Query Logic NPM - mongo-sanitize OWASP - NoSQL Injection