# NoSQL Injection
**NoSQL injection** is a type of *injection attack*. Injection attacks occur when maliciously crafted inputs are submitted by an attacker, causing an application to perform an unintended action. In a NoSQL injection attack, untrusted input from the HTTP request or frontend is inserted into command to be run against a NoSQL database insecurely. This allows an attacker to run arbitrary commands on the database, meaning they can steal and manipulate sensitive data, or inject other malicious code that can be used to escalate their attack.
NoSQL databases like MongoDB, Couchbase, Cassandra and HBase relax some constraints traditionally associated with relational databases to achieve allow flexible, scalable storage. Each database engine has a query language or programmatic interface that allows applications to access and manipulate data within the database. These data access operations are usually executed using parameters from an HTTP request. You should make sure to pass these parameters to your database securely, so attackers cannot inject extra statements or change the logic of an existing statement.
## NoSQL Injection in Java
Each of the major NoSQL databases has an SDK that allows you safely update or read data. Most of these SDKs have some sort of binding mechanism – some are illustrated below.
### MongoDB
“`java public static void updateUserLocation(String email, String city, String zip) throws Exception { MongoClient client = MongoClients.create(MONGO_CONNECTION_STRING); MongoDatabase database = client.getDatabase(“database”); MongoCollection<Document> users = database.getCollection(“users”);/** * Update the city and zip code for the user with a given email address. Make sure * the field names for Filters.eq(…) and Updates.set(…) calls are defined in * code (rather than taken from an untrusted source) to shut out the possibility of * injection attacks. */ users.findOneAndUpdate( Filters.eq(“email”, email), Updates.combine( Updates.set(“city”, city), Updates.set(“zip”, zip) ) ); /** |
### CouchBase
“`java public static void updateUserLocation(String email, String city, String zip) { Cluster cluster = Cluster.connect(COUCHBASE_CONNECTION_STRING, COUCHBASE_USERNAME, COUCHBASE_PASSWORD); Bucket bucket = cluster.bucket(“bucket”); Scope scope = bucket.scope(“scope”); Collection users = scope.collection(“users”);/** * Update the city and zip code for the user with a given email address – assuming that * records are indexed by email address. Make sure field names in the JSON update object * are taken from a trusted source, or at least checked against an allow-list. */ users.upsert( email, JsonObject.create().put(“city”, city).put(“zip”, zip) ); /** cluster.query( |
### Cassandra
“`java public static void updateUserLocation(String email, String city, String zip) { Cluster cluster = Cluster.builder().addContactPoint(“127.0.0.1”).build(); Session session = cluster.connect();/** * Update the city and zip code for the user with a given email address – using * bind parameters to protect ourselves from injection attacks. */ PreparedStatement prepared = session.prepare(“update users set city = ? and zip = ? where email = ?”); BoundStatement bound = prepared.bind(city, zip, email); session.execute(bound); /** bound = prepared.bind() session.execute(bound); /** |
### Hbase
“`java public static void updateUserLocation(String email, String city, String zip) throws IOException { Configuration config = HBaseConfiguration.create(); Connection connection = ConnectionFactory.createConnection(config);Table table = connection.getTable(TableName.valueOf(“users”)); /** Put put = new Put(rowKey); |
## CWEs
* [CWE-943](https://cwe.mitre.org/data/definitions/943.html)