Learn how to protect yourMongoDB server from NoSQL injection attacks by disabling server-side Javascript features

Stampery Inc.
Feb 3, 2017 · 1 min read

All of the following MongoDB operations permit you to run arbitrary JavaScript expressions directly on the server:

These methods can be really convenient, but they pose a huge security risk to your database integrity if your application does not sanitize and escape user-provided values properly, as proven by many reports of NoSQL injection attacks.

Indeed, you can express most queries in MongoDB without JavaScript, so the most sensible option is to completely disable sever-side Javascript.

Disabling server-side Javascript on MongoDB

Open /etc/mongod.conf with your favorite code editor and look for the security section:

security:
authorization: "enabled"

If you can’t find mongod.conf or it is named mongodb.conf instead, it means that you are using a really old and broken version of MongoDB. Please read this guide on how to upgrade to a more recent version.)

Make sure to add the following line inside the security section:

    javascriptEnabled: false

Now save the file and restart mongod :

$ sudo service mongodb restart

Done! Your deployment is now resistant to NoSQL injections!

Mongoaudit — the mongoaudit guides

MongoDB security guides and best practices

 by the author.

Stampery Inc.

Written by

Leaders in blockchain-based timestamping and security solutions.

Mongoaudit — the mongoaudit guides

MongoDB security guides and best practices

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade