Nosql Injection in Aspnet

Nosql Injection in Aspnet applications typically occurs when user input is concatenated directly into MongoDB queries without proper sanitization. Unlike SQL injection, Nosql injection exploits the query syntax of document databases like MongoDB, allowing attackers to manipulate query logic, bypass authentication, or extract sensitive data.

In Aspnet, this vulnerability often appears in the following patterns:

// VULNERABLE: Direct string interpolation in MongoDB query
var collection = database.GetCollection("users");
var filter = new BsonDocument("username", username);
var result = await collection.Find(filter).FirstOrDefaultAsync();

The above code is vulnerable because the username parameter can contain special characters that modify the query structure. An attacker could supply input like:

username[$ne]=null

This would translate to a query that returns all users where username is not null, effectively bypassing authentication checks.

Another common Aspnet-specific pattern involves dynamic LINQ queries with Entity Framework Core:

// VULNERABLE: Dynamic LINQ with unvalidated input
var query = dbContext.Users.Where($"Username == {username}");
var user = await query.FirstOrDefaultAsync();

Attackers can exploit this by injecting operators like || 1==1 to always return true, or by using special characters to manipulate the query logic.

Model binding in Aspnet MVC can also introduce Nosql injection risks when binding directly to complex types:

// VULNERABLE: Model binding to complex objects
public class UserFilter
{
    public string Username { get; set; }
    public BsonValue Age { get; set; } // BsonValue can be any MongoDB type
}

public async Task GetUsers([FromQuery] UserFilter filter)
{
    var collection = database.GetCollection("users");
    var result = await collection.Find(filter.ToBsonDocument()).ToListAsync();
    return Ok(result);
}

Here, an attacker could craft query parameters that create complex MongoDB expressions, potentially accessing restricted data or causing denial of service through expensive queries.

Detecting Nosql injection in Aspnet applications requires a combination of static analysis and dynamic testing. middleBrick's black-box scanning approach is particularly effective for Aspnet APIs because it tests the actual runtime behavior without requiring source code access.

middleBrick scans Aspnet APIs for Nosql injection by testing common injection patterns against your endpoints. The scanner automatically identifies Aspnet-specific characteristics like:

• Controller routing patterns and HTTP method handling
• Model binding behavior and complex type deserialization
• JSON payload processing in Aspnet Core MVC
• Authentication middleware integration

During a scan, middleBrick tests for Nosql injection by sending specially crafted payloads to your API endpoints:

middlebrick scan https://yourapi.com/api/users --output json

The scanner tests patterns like:

username[$ne]=null
username[$exists]=true
username[$in][]=admin&username[$in][]=user
age[$gt]=100
$where:"this.username.length>0"

For Aspnet applications using MongoDB with the official C# driver, middleBrick also tests for injection in:

• BsonDocument construction with user input
• FilterDefinition building with dynamic parameters
• UpdateDefinition operations with unvalidated data

The scanner provides Aspnet-specific remediation guidance, showing exactly where in your controller actions the vulnerability exists and how to fix it using Aspnet's built-in validation features.

middleBrick's LLM security checks are particularly relevant for Aspnet applications using AI features, as attackers might attempt prompt injection to manipulate Nosql queries through AI-generated code or configuration.

Fixing Nosql injection in Aspnet applications requires a defense-in-depth approach using the framework's built-in validation and sanitization features. Here are Aspnet-specific remediation strategies:

1. Use Strongly-Typed Queries with Parameter Binding

// SECURE: Strongly-typed query with parameter binding
public class UserFilter
{
    [RegularExpression("^[a-zA-Z0-9_]{3,20}$")]
    public string Username { get; set; }
    
    [Range(0, 150)]
    public int? Age { get; set; }
}

public async Task GetUsers([FromQuery] UserFilter filter)
{
    var builder = Builders<BsonDocument>.Filter;
    var filters = new List<FilterDefinition<BsonDocument>>();
    
    if (!string.IsNullOrEmpty(filter.Username))
    {
        filters.Add(builder.Eq("username", filter.Username));
    }
    
    if (filter.Age.HasValue)
    {
        filters.Add(builder.Eq("age", filter.Age.Value));
    }
    
    var collection = database.GetCollection<BsonDocument>("users");
    var result = await collection.Find(builder.And(filters)).ToListAsync();
    return Ok(result);
}

2. Implement Model Validation with Data Annotations

// SECURE: Model validation with custom attributes
public class UserFilter
{
    [Required]
    [MongoInjectionFree] // Custom validation attribute
    public string Username { get; set; }
    
    [Range(0, 150)]
    public int? Age { get; set; }
}

public class MongoInjectionFreeAttribute : ValidationAttribute
{
    protected override ValidationResult IsValid(object value, ValidationContext validationContext)
    {
        if (value is string input && Regex.IsMatch(input, "[$\[\]\(\)\'\"\\]", RegexOptions.Compiled))
        {
            return new ValidationResult("Input contains potentially dangerous characters.");
        }
        return ValidationResult.Success;
    }
}

3. Use Aspnet Core's Input Validation Middleware

// SECURE: Global input validation middleware
public class MongoInjectionValidationMiddleware
{
    private readonly RequestDelegate _next;
    private static readonly Regex _dangerousChars = new Regex("[$\[\]\(\)\'\"\\]", RegexOptions.Compiled);
    
    public MongoInjectionValidationMiddleware(RequestDelegate next)
    {
        _next = next;
    }
    
    public async Task InvokeAsync(HttpContext context)
    {
        if (context.Request.HasFormContentType)
        {
            foreach (var key in context.Request.Form.Keys)
            {
                if (_dangerousChars.IsMatch(context.Request.Form[key]))
                {
                    context.Response.StatusCode = 400;
                    await context.Response.WriteAsync("Invalid input detected.");
                    return;
                }
            }
        }
        
        await _next(context);
    }
}

// In Startup.cs or Program.cs
builder.Services.AddTransient<MongoInjectionValidationMiddleware>();

4. Use Aspnet's Built-in Sanitization Libraries

// SECURE: Using sanitization libraries
using Ganss.XSS;

public class SanitizedMongoQuery
{
    private readonly HtmlSanitizer _sanitizer = new HtmlSanitizer();
    
    public FilterDefinition<BsonDocument> SanitizeAndBuildFilter(string username)
    {
        var sanitized = _sanitizer.Sanitize(username);
        var builder = Builders<BsonDocument>.Filter;
        return builder.Eq("username", sanitized);
    }
}

5. Implement Rate Limiting and Input Length Restrictions

// SECURE: Rate limiting and size restrictions
public void ConfigureServices(IServiceCollection services)
{
    services.AddControllers();
    services.AddRateLimiting();
    
    services.Configure<RateLimitOptions>(options =>
    {
        options.GeneralRules = new List<RateLimitRule>
        {
            new RateLimitRule
            {
                Endpoint = "*",
                Period = "1m",
                Limit = 100
            }
        };
    });
    
    services.Configure<MvcOptions>(options =>
    {
        options.MaxRequestBodySize = 10 * 1024; // 10KB limit
    });
}

middleBrick's Pro plan includes continuous monitoring that can automatically scan your Aspnet APIs on a schedule, alerting you if new Nosql injection vulnerabilities are introduced in your codebase.