Security Hub

Bring your software development workflows to security

MongoDB

MongoDB injection

Signals & Triggers

On datastore access
If user inputs alter NoSQL query structure

Actions

  • Block the HTTP request Block the HTTP request
  • Log request stack trace Log request stack trace
  • Log the malicious request Log the malicious request
  • Report an incident Report an incident

Notifications

  • Send an email to all team members Send an email to all team members
  • Send a Slack notification. Send a Slack notification.
  • POST to your Webhook. POST to your Webhook.
  • Send to New Relic Insights. Send to New Relic Insights.
  • Create an incident on PagerDuty (coming soon) Create an incident on PagerDuty (coming soon)

Details

As opposed to relational databases, MongoDB does not rely on SQL but JSON to represent queries. When building the query, if user inputs are not properly sanitized, an attacker can easily inject operators to alter the query structure. This allows the attacker to achieve non expected purposes.

If you consider the following query: {"hidden": {$eq: true},"groups":"?","ref":"?"}. If the hidden field in the query is fed by the user input through the HTTP request query string, then an attacker could pass the value {"$ne":"?"} for the query to return all the document, regardless of their hidden status.

Sqreen can detect HTTP requests vulnerable to MongoDB injections without false positive by acting inside the app at the driver level.

The $where operator is covered in Node.JS. A beta is on-going to support it in all technologies.

Advanced details

When the application starts, Sqreen library hook the main MongoDB drivers methods in order to catch queries about to be executed.

Next, on every database request, Sqreen parses locally the JSON query about to be executed looking for non sanitized operators - like $in, $ne, $eq - coming from the user inputs, altering the original query structure and enabling an attacker to derive its original purpose.

No traffic redirection is performed. The analysis of the query happens inside the application, relying on Sqreen’s dynamic instrumentation of the MongoDB driver.

By being in-app and running just before the query is sent to the MongoDB server - the very last step in your app - we can guarantee a 100% non false positive detection and protection for NoSQL injections in MongoDB.

Language support

  • Ruby
  • Node.js
  • PHP
  • Python
  • Java

Data collected by Sqreen

Signals

No data collected


On attack
  • Mongo query
  • Request payload
  • Attacker IP
  • Attacker account (Sqreen SDK)

Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Node.js
  • Ruby
  • PHP
  • Python
  • Java
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json

 

// This should be the first line of your app

require('sqreen');

$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" >> config/sqreen.yml

$ curl -s https://download.sqreen.io/php/install.sh > sqreen-install.sh && bash sqreen-install.sh your token

$ pip install sqreen

$ echo -e '[sqreen]\ntoken: your token' >> sqreen.ini

 

# Insert at the top of your app file (typically wsgi.py or app.py)

import sqreen

sqreen.start()

$ curl https://download.sqreen.io/java/sqreen-latest-all.jar -o sqreen-latest-all.jar

 

// Next, edit the JVM startup file:

-javaagent:/path/to/sqreen-agent.jar -Dsqreen.token={{your token}}

Build amazing products. Keep them safe.

3 min installation · Try all features for 7 days · No credit card required Get started Request demo