Does ZAP performs fuzzing or any sql related injections in 'MongoDB'/NoSQL

[lakshmi]

Does ZAP performs fuzzing or any sql related injections in 'MongoDB'/NoSQL.

Out application has two DBs 'MongoDB'/NoSQL and PostgreSQL.

Under cotext/Active Scan options> can see supported DB technology related information which has PostgreSQL also. Would like to know if 'MongoDB'/NoSQL is also supported, or do i need to configure any plugin.

Please guide.

[Simon Bennetts]

The Release quality 'SQL Injection' rule is mostly RDBMS independent and also has specific support for PostgreSQL.
We also have a Beta quality PostgreSQL specific rule: 'SQL Injection - PostgreSQL (Time based)'

I'm afraid I'm not aware of any MongoDB/NoSQL scan rules :( If anyone would like to work on some then we'd be very happy to provide advice and guidance :)

Cheers,

Simon

[kingthorin+owaspzap]

If someone is going to start building a NoSQL Injection scanner; you could use this as a test platform https://digi.ninja/projects/nosqli_lab.php.

Also OWASP has some NoSQL testing info here: https://www.owasp.org/index.php/Testing_for_NoSQL_injection

[Simon Bennetts]

For info I've raised an issue for this and posted about it on the ZAP Dev Group: https://groups.google.com/d/msg/zaproxy-develop/g4Eu1GOHfBc/sbmfyOexAgAJ

Cheers,

Simon

[lakshmi]

Thanks Simon and kingthorin for sharing the info.

[Oliver Hignett]

if you go to the link that kingthorin mentioned, you’ll be able to add a custom fuzzier based on this word list: https://github.com/cr0hn/nosqlinjection_wordlists