Inject Detect - Detecting NoSQL Injection in Meteor Applications

Hey all,

It’s been a while since I’ve posted around these parts.

I’ve been heads down working on a new project called Inject Detect, and I’m excited to announce that it’s officially open to the public!

The idea behind Inject Detect came after working with clients on a wide variety of projects, and observing that Meteor applications are often vulnerable to a type of attack called NoSQL Injection. Put simply, NoSQL Injection is when an attacker can gain control over queries executed against your MongoDB database.

While there are ways of preventing NoSQL Injection in your application (audit-argument-checks, check-checker, validated-method), none of these tools are guaranteed to prevent NoSQL Injection.

What’s worse, there’s no good way of determining if NoSQL Injection attacks are being carried out against your application in production.

Until now!

Inject Detect watches the structure of the queries being made by your application and notifies you if it detects any unexpected queries that might be the result of NoSQL Injection attacks.

If you’d like to learn more about NoSQL Injection or about how Inject Detect can help your application, check out a few articles I’ve written on the subject.

I’m interested to see what you think about this idea, and to learn more about how you protect your application from NoSQL Injection attacks!


Great concept!

I’d be interested in how it works. Do queries hit an API? What’s the performance impact like? – Maybe that’s in the education section, but I can’t see it.

Seems like that page in particular is currently inaccessible, though I hit similar 500 errors while navigating through the app. Refreshing usually got me where I was going, but I could never access /education.


Looks like S3 is having some issues. :frowning:

The application collects metadata about your queries through the east5th:inject-detect Meteor package. If you dig into the source, you’ll see that it basically monkey patches all low-level query functions. On every query it anonymizes the query being made (Inject Detect only cares about query structure, not query data), and then sends batches of those query metadata objects to the Inject Detect servers.

Once on the server, Inject Detect compares incoming query metadata to a set of expected queries you maintain for each application you own. If it detects an unexpected query, it sounds the alarm.

Check out the code of the Meteor package if you’re interested.