Link Search Menu Expand Document

NoSQL Injection in NodeJS


NodeJS frameworks with MongoDB

The field types should either be validated, or can be explicitly cast e.g. the name of the example can be cast to the string {"name": String(}.

Express uses the “qs” package, which parses querystrings as objects, allowing the exploitation of the vulnerable parameters.

There are also libraries, such as mongo-sanitize that perform appropriate filtering and sanitization of data.


CWE-943 - Improper Neutralization of Special Elements in Data Query Logic NPM - mongo-sanitize OWASP - NoSQL Injection