DEV Community

loading...
Cover image for Data sanitization against NoSQL query injection in MongoDB and Node.js application

Data sanitization against NoSQL query injection in MongoDB and Node.js application

katerakeren profile image Kater Akeren ・3 min read

Introduction

Injection attacks are cancer at the heart of any software application that accepts the user’s input data. This dangerous vulnerability exists in a variety of different applications as the result of poor input sanitation of data before sending it to the database. The resultant effect of such an act enables or creates room for an array of databases to be vulnerable to the most dangerous software error known as injection attacks and the NoSQL paradigm is not an exception.
It’s essential for any developer to protect his or her self against injection attacks in other to prevent a malicious actor to access and modify sensitive data, including passwords, usernames, email addresses, authentication tokens, and et al.

What is a NoSQL database?

According to literature, the acronym NoSQL was coined in the year 1998 which stands for “Not Only SQL”. NoSQL is a modern database design that can accommodate an array of a wide variety of data models and great backend support for big data applications.
NoSQL databases are characterized by horizontal scalability, schema-free data models, easy cloud deployment, and are built on the scale-out architecture and fault tolerance according to Dr. Patrick Obilikwu in his lecture note on Database Management Systems II. The advent of the exponential growth of big data applications is the driven factor for the wide variety of Not only the SQL paradigm.
The NoSQL databases are extensively suitable for:

  • Big Data capability
  • Fast performance
  • Easy replication
  • High scalability
  • High availability

NoSQL injection

NoSQL databases like MongoDB do not use SQL for queries, but they still perform queries based upon user input data – it entails that they are still vulnerable to injection attacks if the input data is not properly sanitized. The key difference between SQL and NoSQL injection attacks is the syntax.
Let's simulate a NoSQL query injection that will log us into the application without knowing the user's username with a given password. Instead of providing a valid username, we will put-in the simulated injection query as our username and considering the fact that the request body is encoded as JSON below:-

{
  "username": {"$gt":""},
  "password": "$#@Call4Code"
}
Enter fullscreen mode Exit fullscreen mode

The code snippet above has demonstrated how an application build with MongoDB as the backend support for database and Node.JS can be attacked with NoSQL injection queries. It will shock you that the above code will execute successfully because the query is at all-time evaluating to true.

Protecting against the NoSQL injection

We can easily protect ourselves against this malicious attack by using the npm package called express-mongo-sanitize. It greatly helps us to mitigate and prevent our database from this dangerous malicious attack.

Installation

npm install express-mongo-sanitize

Usage

const express = require('express');
const mongoSanitize = require('express-mongo-sanitize');

const app = express();

/*
** IMPORT ROUTES
*/
const userRouter = require('./api/routes/userRoutes');
const postRouter = require('./api/routes/postRoutes');

/*
** GLOBAL MIDDLEWARES
*/
app.use(express.json());
// Data sanitization against NoSQL query injection
app.use(mongoSanitize()); 

/*
** ROUTES
*/
app.use('/api/v1/users', userRouter);
app.use('/api/v1/posts', postRouter);

/*
** HANDLING UNHANDLED ROUTES
*/
app.all('*', (req, res, next) => {
    next(new AppError(`Can't find ${req.originalUrl} on this Server!`, 404));
});

/*
** GLOBAL ERROR
*/
app.use(globalErrorHandler);

module.exports = app;
Enter fullscreen mode Exit fullscreen mode

The mongoSanitize is a function that we have called that then returns a middleware function that we can use to prevent the attack by looking at the request body, request parameters, and request query strings in other to remove the dollar ($) signs and dots (.) respectively before executing the queries.
Kind regards ❤️

Discussion (0)

pic
Editor guide