Jeff Darcy has written a while back about the (lack of) security in NoSQL database. Unfortunately things haven’t changed much and if you check the NoSQL + Node.js applications I’ve posted lately you’ll notice that some of them are completely ignoring security.
And there are some people realizing the risks and starting to express their concerns:
Playing with MongoDB lately, I’m getting scared. Because I’m seeing some really bad practices out there. Seeing it in live code. In tutorials.
Because of this, defenses against SSJS injection are also similar to SQL injection defenses:
- Validate user input used in SSJS commands with regular expressions.
Remember there’s no such thing as security through obscurity.