Elasticsearch Injection Attacks


We have a system where we store job applications from candidates into Elasticsearch. We further present all candidates who have applied for a job in a candidate list(grid with candidates).

We also have a search field on the same site where we can filter candidates. We are actually making full text search to match candidates based on the input from the user.


So, the users can enter input. Right now, we are using the input from users directly in a query to Elasticsearch, for example:

queryStringQuery = new QueryStringQuery
      Fields = new Field("firstName").And("lastName").And("education").And("workExperience").And("currentPosition").And("currentEmployer").And("attachments.attachment.content"),
      Query = "*" + query.Freetext + "*" 

If you look at the Query parameter, you can notice that we are setting it to query.Freetext(Which is input from the user).

The user can input malicious content ( Injection Attack ).


How does Elasticsearch handle mailicious content in the query? What can I do to prevent it?

What kind of malicious content you think they can send here?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.