Description

This web application is possibly vulnerable to MongoDB JavaScript Injection in the value passed to the $where operator. An application is vulnerable if the developer uses MongoDB's $where query operator with unvalidated user inputs. This allows an attacker to inject malicious input containing JavaScript code.

Example of vulnerable code:

db.collection.find( { $where: function() { 
    return (this.name == $userData) } } );
The attacker might then inject an exploit string like 'a'; sleep(5000) into $userData to have the server pause for 5 seconds if the injection was successful. The query executed by the server would be:
db.collection.find( { $where: function() { 
    return (this.name == 'a'; sleep(5000) ) } } );

Remediation

It's not recommended to use the MongoDb operators like where, mapReduce, or group with user supplied data. Where clauses can almost always be re-written as normal queries, using the expr operator.

It's also recommded to set javascriptEnabled to false in your mongod.conf, if possible. This will disable JavaScript execution in your MongoDB instance and prevent this class of attacks.

References

Related Vulnerabilities