NoSQL Injection - MongoDB (Time Based)

Risk:
High

Type:
Active

CWE:
CWE-943

Summary: MongoDB query injection may be possible.

Solution: Do not trust client side input and escape all data on the server side. Avoid to use the query input directly into the where and group clauses and upgrade all drivers at the latest available version.

Other info: Through the where or group MongoDB clauses, Javascript sleep function is probably executable.

References

https://arxiv.org/pdf/1506.04082.pdf

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection.html

Free security scan for your website

Don't show website scan report rating on the leaderboard