A newer version of this documentation is available.

View Latest

User input validation

To provide for security in applications, pay attention to actions representing NoSQL injection.

Injection attacks are not limited only to SQL databases. In NoSQL databases, they might consist of these actions:

  • Injecting of arbitrary key-value pairs.

  • Overriding of important document fields, such as the document type or password.


 {"user": "will","type":"Private", "password":"0asd21$1%",
  "created":"2012-06-12", "password":"password"}T

The application stores the hashed value of the password oasd21$1%. However, since the application developer used string concatenation, based on user input without proper application validation, the hash password could be overwritten by the plain-text password. If you try to save this document in Couchbase, you will override the first field value with the last supplied field value.

Be aware that an attacker might try to inject arbitrary key-value pairs, override a key-value pair, or change the document type (such as from Private to Public). You must, therefore, protect the input and ensure that field overrides are explicit so that they cannot be changed implicitly by attackers.

The best approach is to validate user input in your application and avoid string concatenation. You can also use strongly typed programming language constructs such as Java POJOs or .Net POCOs to mitigate the risk of an injection attack.