Skip to content

NoSQL Injection Analyzer

Configuration Name: NoSqlInjection

Description

NoSQL Injection analyzer detects injection attack vulnerabilities in an API by issuing requests that contain NoSQL attack vectors. An application is vulnerable to injection attacks if it does not properly validate, filter, or sanitize input strings in a request. This can be exploited by an attacker by sending attack vectors in a request. OWASP classifies Injection as #8 in its API Security Top 10 (API8:2019).

Configuration Parameters

The NoSqlInjection analyzer has one optional configuration parameter that may be specified when using the analyzer in a configuration.

  • allFields (boolean): When true, attack URLs are sent in all input fields.

Example Configuration

testProfile:
  analyzers:
    - kind: NoSqlInjection
      allFields: false

Faults Reported

Fault Identifier Title Summary Solution Severity
CWE-20 Improper Input Validation The application either does not validate input data or incorrectly validates that the input may be processed safely and correctly. Application should sanitize inputs and respond with a client error for invalid input data. medium
CWE-943 Improper Neutralization of Special Elements in Data Query Logic The application does not properly validate or sanitize input data that is used in an database query. The application should sanitize inputs and respond with a client error for invalid input data. medium