Reputation: 5169
Mongodb security in node.js
For say a MySQL database there are known security issues. How does this apply to a NoSQL db? e.g. Injections, xss etc. What are the security measurement you have to take when using a NoSQL db? Specifically regarding MongoDB (with node-mongodb-native) and Node.js (using Express)
And if so, are there any modules for Node/Express that helps in preventing this?
Upvotes: 10
Views: 4055
Answers (1)
Reputation: 62835
There is specific issue for NodeJS, MongoDB (and some others NoSQL databases that heavily use javascript): serverside javascript injection. Look here and here (pdf) for details. It is more like SQL injection than XSS.
Shortly, that is when attacker sends javascript to your nodejs or mongodb when you're expecting just JSON. So theoretically bad guy can bring your service down (DOS), access your data and even filesystem.
To prevent such attacks you have to:
- Avoid creating “ad-hoc” JavaScript commands by concatenating script with user input.
- Validate user input used in SSJS commands with regular expressions.
- Avoid use of the JavaScript eval command. In particular, when parsing JSON input, use a safer alternative such as JSON.parse.
Upvotes: 11
Related Questions
- JavaScript NoSQL Injection prevention in MongoDB
- Can injection still be an issue if all the database operations are done through Mongoose?
- Mitigating MongoDB injection attacks with Mongoose
- MongoDB injection attack
- MongoDB injection attack prevention
- mongodb injection possibility
- Node.js, Express.js and MongoDB - Security about user input with find and insert
- MongoDB security, what am I missing?
- Mongo db security
- Access Control in MongoDB