Support
Scans

Identifying MongoDB injection vulnerabilities

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

You can identify MongoDB injection vulnerabilities with Invicti.

As one of the most popular NoSQL database solutions, MongoDB stores data as documents with a JSON-like syntax (JavaScript Object Notation).

  • NoSQL is a general term covering databases that don’t use the SQL query language. NoSQL is used to refer to non-relational databases that are growing in popularity. 
  • It stores different data models that are better suited for certain uses, such as documents, graphs, objects, and many more. 

Invicti Enterprise and Invicti Standard can test your MongoDB to identify injection vulnerabilities. Currently, Invicti supports Time-based detection and Error-based detection. For further information, see NoSQL injection.

This article explains how to identify MongoDB Injection vulnerabilities. For further information about scanning for MongoDB injection vulnerabilities, see How to scan for MongoDB injection vulnerabilities – and how to fix them.

All new security checks are added to scan policies if you already enabled more than 50 percent of the checks.

MongoDB fields

This table lists and explains the MongoDB injection fields on the New Scan Policy page.

FieldDescription
Proof Character LimitThis specifies the character limit for generated proof. The default value is 5. Enter 0 to disable the character limit.
Proof SharingThis specifies enabling or disabling the same proof across vulnerabilities. The default value is Yes.
Generate ProofThis specifies proof generation. The default value is Yes.
How to configure MongoDB Injection attacks in Invicti Enterprise
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Policies > New Scan Policy.
  3. From the General tab, enter a name for your scan policy.
  4. From the Security Check tab, select the NoSQL Injection drop-down.
  5. Configure the MongoDB Injection (Blind) and MongoDB Injection (Error based) according to your needs
  6. Select Save to save the scan policy.

You can now use this scan policy while launching a new scan. For further information, see Creating a new scan.

Click to view a sample report on MongoDB injection vulnerability detection.

How to configure MongoDB Injection attacks in Invicti Standard
  1. Open Invicti Standard.
  2. From the ribbon, select Scan Policy Editor.
  3. From the Scan Policy Editor window, select the Security Checks tab.
  4. From the Security Checks Group list, select NoSQL Injection.
  5. Configure the MongoDB Injection (Blind) and MongoDB Injection (Error based) according to your needs.
  6. Select Apply, then OK to save the scan policy.