How to fix NoSQL Injection
in NancyFX
Executive Summary
NancyFX might be lightweight, but piping raw request parameters directly into NoSQL queries is a recipe for a full database dump. NoSQL injection in the .NET ecosystem typically occurs when developers bypass the type-safe driver features in favor of 'convenient' string-based BsonDocument parsing. If an attacker can manipulate the query structure via operators like $gt, $ne, or $where, your data is public property.
The Vulnerable Pattern
Get["/api/users/find"] = _ => {
var username = this.Request.Query["user"];
// VULNERABLE: String concatenation inside BsonDocument.Parse
// Attacker payload: ?user='admin', $or: [ { 'secret': { $ne: null } } ]
var filter = BsonDocument.Parse("{ 'username': '" + username + "' }");
return Collection.Find(filter).ToList();
};The Secure Implementation
The vulnerability exists because BsonDocument.Parse treats the input string as a raw command structure. By injecting NoSQL operators, an attacker can change the logic of the query (e.g., changing an equality check to a 'not equal' check). The fix involves using the MongoDB .NET Driver's FilterDefinitionBuilder (Builders
Get["/api/users/find"] = _ => {
string username = this.Request.Query["user"];
// SECURE: Use the FilterDefinitionBuilder for strong typing and automatic parameterization
var filter = Builders.Filter.Eq(u => u.Username, username);
return Collection.Find(filter).ToList();
};
Your NancyFX API
might be exposed to NoSQL Injection
74% of NancyFX apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.