What is SQL Injection?
SQL Injection is a Code Injection technique to attack Data-driven applications. Despite being around for many years, SQL Injection is still a hugely dominant security flaw in web applications.
An attacker can send SQL Queries as a part of the command or input parameters. Through SQL Injection attacker can obtain unauthorized access to a database and he might be able to create, read, update, alter, or delete data stored in the back-end database. Although SQL injection is most commonly used to attack websites to compromise the data.
What is NoSQL then?
In this attack NoSQL we do not use malicious SQL queries. Database like MongoDB don’t use sql but they use queries which is based upon the user input that means they are vulnerable too.
How to attack?
The application which uses MongoDB they are built on MEAN(MongoDB, Express, Angular and Node) Stack. They use JSON for passing data. In this case using the malicious JSON code into a MEAN application can enable injection attacks against a MongoDB database.
Protecting the application from such attacks
NoSQL injection is also same like SQL injection. So, to protect from these attacks:-
- Using an input sanitization library to escape dangerous characters
- Minimizing privileges on public-facing applications
- Never building queries from strings
- Using typed inputs
NoSQL Database is great idea, for protection of the database we can even disabled javascript evaluation in MongoDB decreasing the injection attack.