NoSQL Injection Analyzer
Configuration Name: NoSqlInjection
Description
NoSQL Injection analyzer detects injection attack vulnerabilities in an API by issuing requests that contain NoSQL attack vectors. An application is vulnerable to injection attacks if it does not properly validate, filter, or sanitize input strings in a request. This can be exploited by an attacker by sending attack vectors in a request. OWASP classifies Injection as #8 in its API Security Top 10 (API8:2019).
Configuration Parameters
The NoSqlInjection analyzer has one optional configuration parameter that may
be specified when using the analyzer in a configuration.
allFields(boolean): When true, attack URLs are sent in all input fields.
Example Configuration
testProfile:
analyzers:
- kind: NoSqlInjection
allFields: false
Faults Reported
| Fault Identifier | Title | Summary | Solution | Severity |
|---|---|---|---|---|
| CWE-20 | Improper Input Validation | The application either does not validate input data or incorrectly validates that the input may be processed safely and correctly. | Application should sanitize inputs and respond with a client error for invalid input data. | medium |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic | The application does not properly validate or sanitize input data that is used in an database query. | The application should sanitize inputs and respond with a client error for invalid input data. | medium |