Injection Attack Documentation
Hi MongoDB, we are in the process of preparing for production and while we have found some susceptibilities to injection attacks on mongodb (see OWASP Top 10) there does not seem to be any documentation explaining all the potential known avenues of attack for MongoDB. The response from the engineering team is there is shared responsibility, however, how can we share responsibility for what we do not know? We as engineers rely on the product owners to give known attack vectors so that we can share that responsibility.
That said, there are two we know about, escape for the $ sign off beginning of text and look for function() attacks where injecting javascript is an available option (such as $where clauses). However this was found through hours of stack overflow comments.
The request here is, could you please provide a document with what we should be protecting against.
-
AdminSalman (Admin, MongoDB) commented
Hi Ray, if you are running MongoDB database on-prem and looking for a security checklist, it can be found here:
https://docs.mongodb.com/manual/administration/security-checklist/Hope this helps.