Description

This web application is possibly vulnerable to MongoDB Injection attacks.

There are various types of attacks against MongoDB databases. Consult web references for more information about this vulnerability.

1) Operation Injection Attacks
If you are passing $_GET parameters to your queries, make sure that they are cast to strings first. Users can insert associative arrays in GET requests, which could then become unwanted $-queries.

2) Script Injection Attacks
If you are using JavaScript, make sure that any variables that cross the PHP- to-JavaScript boundary are passed in the scope field of MongoCode, not interpolated into the JavaScript string.

Remediation

If you are passing $_GET/$_POST parameters to your queries, make sure that they are cast to strings first. If you are using JavaScript, make sure that any variables that cross the PHP- to-JavaScript boundary are passed in the scope field of MongoCode, not interpolated into the JavaScript string.

References

Related Vulnerabilities