Abstract: A NoSQL injection attack targets interactive Web applications that employ NoSQL database services. These applications accept user inputs and use them to form query statements at runtime. During NoSQL injection attack, an attacker might provide malicious query segments as user input which could result in a different database request. In this paper, a testing tool is presented to detect NoSQL injection attacks in web application which is called “NoSQL Racket”. The basic idea of this tool depends on checking the intended structure of the NoSQL query by comparing NoSQL statement structure in code query statement (static code analysis) and runtime query statement (dynamic analysis). But we faced a big challenge, there is no a common query language to drive NoSQL databases like the same way in relational database using SQL as a standardized query language. The proposed tool is tested on four different vulnerable web applications and its effectiveness is compared against three different well known testers, none of them is able to detect any NoSQL Injection attacks. However, the implemented testing tool has the ability to detect the NoSQL injection attacks.

Ahmed M. Eassa, Omar H. Al-Tarawneh, Hazem M. El-Bakry and Ahmed S. Salama, “NoSQL Racket: A Testing Tool for Detecting NoSQL Injection Attacks in Web Applications” International Journal of Advanced Computer Science and Applications(IJACSA), 8(11), 2017. http://dx.doi.org/10.14569/IJACSA.2017.081178

@article{Eassa2017,
title = {NoSQL Racket: A Testing Tool for Detecting NoSQL Injection Attacks in Web Applications},
journal = {International Journal of Advanced Computer Science and Applications},
doi = {10.14569/IJACSA.2017.081178},
url = {http://dx.doi.org/10.14569/IJACSA.2017.081178},
year = {2017},
publisher = {The Science and Information Organization},
volume = {8},
number = {11},
author = {Ahmed M. Eassa and Omar H. Al-Tarawneh and Hazem M. El-Bakry and Ahmed S. Salama}
}