NoSQL Injection is security vulnerability that lets attackers take control of database queries through the unsafe use of user input. It can be used by an attacker to:
Over the past few years, we've worked with many teams building amazing software with MongoDB. But to our shock and dismay, we've found NoSQL Injection vulnerabilities in each and every one of these projects.
To try and combat this pervasive issue, we started writing about what we were seeing. We wrote about the exploits we'd seen in the wild and how to prevent them. We wrote tools to help detect vulnerabilities in your code. We started speaking about NoSQL Injection on podcasts and at conferences…
We've been shouting about NoSQL Injection for years!
But we still see it everywhere.
Even if you know what you're looking for, preventing NoSQL Injection can be challenging. One piece of mishandled user input can lead to a serious attack. These small oversights can lead to dangerous back doors in your application.
If you were attacked tomorrow, how would you know?
Inject Detect can help give you an upper hand against potential attackers by detecting NoSQL injection in real time, as it happens. We analyze the structure of every MongoDB query made by your application, looking for any unexpected queries that may be the result of a NoSQL Injection attack.
An example notification of an unexpected query.
Whenever we detect a unexpected query, we immediately notify you so you can take appropriate actions.
What's more, we'll compare the suspicious query with a set of expected queries made by your application in an attempt to determine which query in your application is being exploited.
Inject Detect is not for security professionals, penetration testers, or researchers in mind.
We built Inject Detect for everyone.
We want Inject Detect to be used by teams of all sizes and security proficiencies to empower them with the peace of mind that they have a lookout on the front lines of the NoSQL Injection war.
Our initial release integrates tightly with Meteor, but NoSQL Injection is not a Meteor-specific problem! Future releases will expand Inject Detect to work with a variety of stacks and MongoDB drivers. If you're interested in trying out Inject Detect with your Meteor application, create your account and get started today!
As a "thank you" for signing up, we'll give you a $10 credit so you can try Inject Detect immediately with zero obligations.