"NoSQL Injection - MongoDB" high alert showing in report but we are not using mongoDB

zaproxy / zaproxy

The ZAP core project

https://www.zaproxy.org

Apache License 2.0

12.18k stars 2.2k forks source link

"NoSQL Injection - MongoDB" high alert showing in report but we are not using mongoDB #8483

Open jitendra-90 opened 1 month ago

jitendra-90 commented 1 month ago

Describe the bug

"NoSQL Injection - MongoDB" high alert showing in report but we are not using mongoDB

Steps to reproduce the behavior

"NoSQL Injection - MongoDB" high alert showing in report but we are not using mongoDB

Expected behavior

"NoSQL Injection - MongoDB" high alert showing in report but we are not using mongoDB

Software versions

2.14.0

Screenshots

No response

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

[ ] Yes

thc202 commented 1 month ago

Please provide more details of the alert.

jitendra-90 commented 1 month ago

Bellow is the description of alert while we are not using MongoDb in our application High Alert --> NoSQL Injection - MongoDB Description --> MongoDB query injection may be possible. Attack --> cloud-shape-dark.png[$ne] Other Info --> In some PHP or NodeJS based back end implementations, in order to obtain sensitive data it is possible to inject the "[$ne]" string (or other similar ones) that is processed as an associative array

jitendra-90 commented 1 month ago

How can I try this to attack by Zap Tool

psiinon commented 1 month ago

That is not enough information for us to work with. We will need the full alert details, including the relevant request and response. Feel free to obfuscate any sensitive information.

jitendra-90 commented 1 month ago

I am attaching alert screenshot, please have a look MongoDB-Alert