MongoDB $where operator JavaScript injection
Description
This web application is possibly vulnerable to MongoDB JavaScript Injection in the value passed to the $where operator. An application is vulnerable if the developer uses MongoDB's $where query operator with unvalidated user inputs. This allows an attacker to inject malicious input containing JavaScript code.
Example of vulnerable code:
db.collection.find( { $where: function() {
return (this.name == $userData) } } );
The attacker might then inject an exploit string like 'a'; sleep(5000) into $userData to have the server pause for 5 seconds if the injection was successful. The query executed by the server would be:
db.collection.find( { $where: function() {
return (this.name == 'a'; sleep(5000) ) } } );
Remediation
It's not recommended to use the MongoDb operators like <strong>where, mapReduce,</strong> or <strong>group</strong> with user supplied data. Where clauses can almost always be re-written as normal queries, using the <strong>expr</strong> operator. <br/><br/> It's also recommded to set <strong>javascriptEnabled</strong> to <strong>false</strong> in your mongod.conf, if possible. This will disable JavaScript execution in your MongoDB instance and prevent this class of attacks.