NoSQL Injection is security vulnerability that lets attackers take control of database queries through the unsafe use of user input. It can be used by an attacker to:
Over the past few years, we've worked with many teams building amazing software with MongoDB. But to our shock and dismay, we've found NoSQL Injection vulnerabilities in each and every one of these projects.
To try and combat this pervasive issue, we started writing about what we were seeing. We wrote about the exploits we'd seen in the wild and how to prevent them. We wrote tools to help detect vulnerabilities in your code. We started speaking about NoSQL Injection on podcasts and at conferences…
We've been shouting about NoSQL Injection for years!
But we still see it everywhere.
Even if you know what you're looking for, preventing NoSQL Injection can be challenging. One piece of mishandled user input can lead to a serious attack. These small oversights can lead to dangerous back doors in your application.
If you were attacked tomorrow, how would you know?
Inject Detect can help give you an upper hand against potential attackers by detecting NoSQL injection in real time, as it happens. We analyze the structure of every MongoDB query made by your application, looking for any unexpected queries that may be the result of a NoSQL Injection attack.
Whenever we detect a unexpected query, we immediately notify you so you can take appropriate actions.
What's more, we'll compare the suspicious query with a set of expected queries made by your application in an attempt to determine which query in your application is being exploited.
Inject Detect is not being built with security professionals, penetration testers, or researchers in mind.
We're building Inject Detect for everyone.
We want Inject Detect to be used by teams of all sizes and security proficiencies to empower them with the peace of mind that they have a lookout on the front lines of the NoSQL Injection war.
Our initial release will integrate tightly with Meteor, but NoSQL Injection is not a Meteor-specific problem! Future releases will expand Inject Detect to work with a variety of stacks and MongoDB drivers. Inject Detect is currently being developed by East5th and is slated for a mid-2017 release. If you're interested, please sign up below and we'll send you updates and news about our upcoming release.
As a "thank you" for signing up, we'll also send you our "Five Minute Introduction to NoSQL Injection". This guide walks you through the nuts and bolts of how NoSQL Injection works and how to prevent it in your application.