What type of attacks can be used vs MongoDB?
Insecure Direct Object Reference
Client-Side Enforcement of Server Side Security
Server-Side JavaScript Injection
Also MongoDB should not be assessable to the public. It can be password protected, and passwords can be brute-forced. Client-Side js can communicate with MongoDB directly, and MongoDB can authenticate individual users. However their authentication system is overly simplistic, and in practice I have only seen this design fail.
There are injection attacks against MongoDB, but these are largely mitigated by using proper data adapter libraries. Nonetheless, it's worth knowing that it's possible to inject in a few ways.
The first thing you've got to look out for is cases where you dynamically build a $where
with JavaScript, using user input. By modifying their inputs, they may be able to alter your query. The second issue you've got to handle is injection of operators like $or
(or parameters to such operators) which can alter the behaviour of the query. Both of these are mitigated by not using concatenation-style methods, but instead using libraries that work on data structures (e.g. JSON).
It may also be possible to escape the $
that precedes an operator, in order to provide alternative operators. Make sure you're properly escaping keys if user data is used in them.
All in all, I'd avoid stuff like NodeJS for anything security-critical. It's not been designed with any form of security in mind, and it's a young project. If you're consuming MongoDB from a different language, that's fine.
For more details, see MongoDB's FAQ.
First vulnerability similar to sql injection can be done in mongodb or nosql databases too. which would be mongodb injection.
Try to run mongodb on different port instead on default 27017 to avoid exposing. For official security practices you can always check out http://docs.mongodb.org/manual/administration/security/
It tell security practices that should be used with mongodb server.
Mongodb Injection :
its fully describes here for php how mongodb injection can take place in phpwebapp if client side data is not filtered properly. Also solution to mongodb injection too
http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/
Mongodb Null byte injection attack
http://www.idontplaydarts.com/2011/02/mongodb-null-byte-injection-attacks/
This is also a type of attack that is well written on this site , Have a look how certain fields in mongo collection can be overwritten using this method can this can be done in any webapp.