The injection vulnerability in non-relational repositories
The problem of injectability is strictly dependent on trusting input, which could include interpretable code. This is also true in some cases of NoSQL database systems.
Document-based databases still use formatted text to be inserted in a structured format. Most applications that use such databases rely mostly on text, be it in JavaScript Object Notation (JSON) format, or in any case from user-provided input. Thus, if not adequately sanitized, specific input could trigger some issues, in a similar fashion to how these happen in SQL.
Let's for now consider a fictitious website that relies on a document-based database, MongoDB, for authentication purposes. An attacker could send an HTTP GET
request, https://targetsite.org/login?user=admin&password[%24ne]=
. The target website, coded using a framework of Node.js
, unfortunately has a very naïve way to check for credentials. Have a look at the following code snippet...