14

Is the injection in a NoSQL database architecture also called SQL injection and is it still part of the OWASP 2013 Top 10, category A1 Injection?

For example, an injection in code that communicates with the following database architectures:

  • Hadoop / HBase
  • Cassandra
  • Elasticsearch
  • MongoDB
  • CouchDB
  • Berkeley DB
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
  • If you want a term to describe this kind of attack regardless of the underlying technology, use *code injection*; this covers injection into the PHP (or whatever) script as well. (It looks like OWASP just calls it "injection", but I think the "code" qualifier is useful in making it obvious *what* is getting inserted where it shouldn't be.) – zwol Jun 22 '16 at 17:10
  • "SQL Injection" is a *type* of Injection. Specifically, it is the type that tries to inject data into a SQL command stream. If you are injecting data into a different type of command stream, then it is a different type of Injection, but it is *still* Injection. – RBarryYoung Jun 22 '16 at 18:28

2 Answers2

19

Those are called NoSQL Injections instead of SQL injections.

You can find more information about NoSQL injections, in the OWASP Testing Guide.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
Ash Roy
  • 324
  • 2
  • 8
9

Is the injection in a NoSQL database architecture also called SQL injection...

No, it is not called "SQL injection" but this is called a "NoSQL injection", you can read more about in an article titled "Testing for NoSQL injection", written by OWASP.

... and is it still part of the OWASP 2013 Top 10, category A1 Injection?

Yes, this is a type of injection and that's why it is also categorized in OWASP category A1.

The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
Bubble Hacker
  • 3,615
  • 1
  • 11
  • 20