MongoDB injection

Description
  • This script is possibly vulnerable to MongoDB Injection attacks.<br/><br/> There are various types of attacks against MongoDB databases. Consult web references for more information about this vulnerability. <br/><br/> <strong>1) Request Injection Attacks</strong><br/> If you are passing $_GET parameters to your queries, make sure that they are cast to strings first. Users can insert associative arrays in GET requests, which could then become unwanted $-queries.<br/><br/> <strong>2) Script Injection Attacks</strong><br/> If you are using JavaScript, make sure that any variables that cross the PHP- to-JavaScript boundary are passed in the scope field of MongoCode, not interpolated into the JavaScript string.
Remediation
  • If you are passing $_GET/$_POST parameters to your queries, make sure that they are cast to strings first. If you are using JavaScript, make sure that any variables that cross the PHP- to-JavaScript boundary are passed in the scope field of MongoCode, not interpolated into the JavaScript string.
References