According to OWASP, there are over 150 varieties of NoSQL database available for use in web applications. We're going to take a look specifically at MongoDB, the most widely-used, open source, unstructured NoSQL database, to illustrate how injection can work across a variety of toolsets.
The MongoDB API usually expects BSON data (binary JSON) constructed using a secure BSON query construction tool. But in certain cases, MongoDB can also accept unserialized JSON and JavaScript expressions—like in the case of the $where operator.
It's usually used—like the SQL WHERE operator—as a filter:
db.myCollection.find( { $where: "this.foo == this.baz" } );
You can get more complicated with the expression, of course. Ultimately, if the data is not properly sanitized, the MongoDB $where clause...
