Burp Suite User Forum

Login to post

NoSQL

Thomas | Last updated: Nov 28, 2014 11:04AM UTC

Does Burpsuite or any of its add ons support checks for NoSQL databases?

Liam, PortSwigger Agent | Last updated: Nov 28, 2014 11:04AM UTC

Hi Thomas Thanks for your message. The latest version of Burp Suite Pro does check for server-side JavaScript injection. Please let us know if you need any further assistance.

PortSwigger Agent | Last updated: Feb 18, 2016 04:39PM UTC

If NoSQL queries are submitted by the client to the server where they are executed, then Burp's checks for server-side JS injection should detect this vulnerability.

Burp User | Last updated: Apr 06, 2016 07:24PM UTC

Hi Liam, Would like to resurrect this question. I think the issue here is different. Let's say that the client-side javascript is constructing NoSQL queries against popular NoSQL products such as MongoDB, Cassandra, ElasticSearch etc. Now, a malware author can inject bad code by modifying such NoSQL queries just like the way SQL injection is done. Of course, the non-standard NoSQL query constructs make it a problem with a large surface area. Any info on detecting NoSQL attacks is appreciated. Thx C Chigurupati

You need to Log in to post a reply. Or register here, for free.