NoSQL Injection


#1

Hello. What are the recommended techniques to protect ES queries against NoSQL injection? It's common for some parameters to be specified externally (by the user, for example). How can we prevent them from abusing the query?

Is there a function on the language APIs to escape strings containing the values?


(Mark Walkom) #2

We'd suggest the use of Security to maintain AAA - https://www.elastic.co/guide/en/x-pack/current/xpack-security.html


#3

Security provides AAA for the cluster. In a two(or three)-tier application, the end user doesn't have direct access to the ES cluster. The Web (or application) server sits in-between the user and ES.

AAA does not solve the injection vulnerability problem, because the user sends its parameters to the webserver, and the server constructs the request on the end-users behalf. We are trying to prevent the end-user from modifying that request.

https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_sql_and_nosql_injection.html

So, is there an API function to perform input validation/sanitization on user input?


(system) #4