Hi folks, wanted to share a new project I’ve been working on called NIVA (NoSQL Injection Vulnerable App)
NIVA is a simple web application which is intentionally vulnerable to NoSQL injection. The purpose of this project is to facilitate a better understanding of the NoSQL injection vulnerability among a wide audience of software engineers, security engineers, pentesters, and trainers. This is achieved by giving users both secure and insecure code examples which they can run and inspect on their own, complimented by easy to read documentation.
This edition utilizes MongoDB as the NoSQL database and the official Java driver for data access.
Hi - This was an interesting read although it raised a few questions.
You are using BasicDBObject which is part of the legacy deprecated driver stack. It would be better if you examples used the modern API.
More interestingly, In 10 years of working with customers at MongoDB I’ve never seen anyone concatenating strings OR using $where in production. Both of which as you rightly point out are such major antipatterns my assumption is that no-one does it, have you seen this mistake made ($where is often even disabled at the server side)
The cases of NoSQL injection I’ve seen have typically happened when input from a web service isn’t sanitised with a JS backend so somethign as simple as
let password = resposne.get('password')
Assuming password will be a string but it could also be any other valid JSON and treated as such.