Details
Alert ID 90039
Alert Type Active
Status alpha
Risk High
CWE 943
WASC 19
Technologies Targeted Db / MongoDB
Tags CWE-943
OWASP_2017_A01
OWASP_2021_A03
TEST_TIMING
WSTG-V42-INPV-05
More Info Scan Rule Help

Summary

MongoDB query injection may be possible.

Solution

Do not trust client side input and escape all data on the server side. Avoid to use the query input directly into the where and group clauses and upgrade all drivers at the latest available version.

Other Info

Through the where or group MongoDB clauses, Javascript sleep function is probably executable.

References

Code

org/zaproxy/zap/extension/ascanrulesAlpha/MongoDbInjectionTimingScanRule.java