Identifying MongoDB injection vulnerabilities
You can identify MongoDB injection vulnerabilities with Invicti.
As one of the most popular NoSQL database solutions, MongoDB stores data as documents with a JSON-like syntax (JavaScript Object Notation).
- NoSQL is a general term covering databases that don’t use the SQL query language. NoSQL is used to refer to non-relational databases that are growing in popularity.
- It stores different data models that are better suited for certain uses, such as documents, graphs, objects, and many more.
Invicti Enterprise and Invicti Standard can test your MongoDB to identify injection vulnerabilities. Currently, Invicti supports Time-based detection and Error-based detection. For further information, see NoSQL injection.
This article explains how to identify MongoDB Injection vulnerabilities. For further information about scanning for MongoDB injection vulnerabilities, see How to scan for MongoDB injection vulnerabilities – and how to fix them.
All new security checks are added to scan policies if you already enabled more than 50 percent of the checks.
MongoDB fields
This table lists and explains the MongoDB injection fields on the New Scan Policy page.
| Field | Description |
| Proof Character Limit | This specifies the character limit for generated proof. The default value is 5. Enter 0 to disable the character limit. |
| Proof Sharing | This specifies enabling or disabling the same proof across vulnerabilities. The default value is Yes. |
| Generate Proof | This specifies proof generation. The default value is Yes. |
How to configure MongoDB Injection attacks in Invicti Enterprise
- Log in to Invicti Enterprise.
- From the main menu, select Policies > New Scan Policy.
- From the General tab, enter a name for your scan policy.
- From the Security Check tab, select the NoSQL Injection drop-down.
- Configure the MongoDB Injection (Blind) and MongoDB Injection (Error based) according to your needs
- Select Save to save the scan policy.
You can now use this scan policy while launching a new scan. For further information, see Creating a new scan.
Click to view a sample report on MongoDB injection vulnerability detection.
How to configure MongoDB Injection attacks in Invicti Standard
- Open Invicti Standard.
- From the ribbon, select Scan Policy Editor.
- From the Scan Policy Editor window, select the Security Checks tab.
- From the Security Checks Group list, select NoSQL Injection.
- Configure the MongoDB Injection (Blind) and MongoDB Injection (Error based) according to your needs.
- Select Apply, then OK to save the scan policy.
