I'm diving into NoSql injection so I'm trying to hack my db with postman to see if there is any vulnerability. My requests use parameters to query fields as:
User.find({
// name: req.params.name
name: req.query.name
},
function (err, result) {
if (err) {
console.log('Mongoose findUsers name error: ', err);
res.status(505).send({ error: "Internal error." });
return;
}
if (result != null) {
console.log("Mongoose findUsers name: ", result);
res.status(200).send({
message: "Found users :",
data: result
});
} else {
console.log("Mongoose findUsers name: No user found");
res.status(404).send({
message: "No user found."
});
}
});
So I'm trying to pass a name parameter as {"$ne": null} or {"$gt": ""} , so the query will be localhost:5000/api/users?name={"$ne": null}. Though the response I get from the findOne method is not null, it will return an empty array. Does than mean that I'm already protected against NoSql injections and not need to sanitize queries parameters or am I just not using the right value to perform an injection? What other test could I run to try and check properly if nosql injection are possible ?
As always many thanks for your help.
Cheers.