Which action most reduces blast radius if an attacker succeeds in injecting queries?

Use least-privilege DB roles so the app account only accesses necessary collections

Give the app a single all-powerful DB user for simplicity

Open DB ports to the app server without firewall rules

Disable audit logging to avoid information disclosure

Which logging/monitoring setup best helps you detect operator-injection attempts without blocking legitimate users?

Send structured request logs to a centralized SIEM and alert on $-prefixed keys or unusual query shapes

Never store any request bodies to preserve privacy

Only log server start/stop messages

Log everything to a single local file and never rotate it

Even with parameterized queries, which pattern can reintroduce injection-like risks?

Dynamically building identifiers or raw query fragments by concatenating derived strings

Using DB drivers that support placeholders

Validating user-supplied numeric IDs server-side

Applying schema validation on inputs

Why are NoSQLi attempts often harder for signature-based WAF rules to catch than SQLi?

Operator-based attacks are structured JSON objects that can look like benign payloads and vary widely

NoSQLi always uses the same fixed token that WAFs already block

NoSQLi payloads are always encrypted end-to-end

NoSQLi only happens on local dev machines, not production

Which change is the safest quick patch if you discover public endpoints accepting arbitrary aggregation stages?

Refuse client-supplied pipeline stages; only allow server-built, validated pipeline templates

Allow arbitrary admin tokens for easier testing

Disable HTTPS to simplify debugging

Return DB error stacks verbatim to clients to speed triage

What defensive measure most directly prevents attackers from executing JavaScript inside MongoDB via user input?

Disabling server-side JS features like $where/$function and rejecting user-supplied code

Enabling $where by default for flexibility

Accepting client JS snippets and eval()ing them on demand

Putting DB credentials in client-side code for speed

Which pattern in logs would most clearly indicate repeated operator-injection probing?

Many requests whose bodies/params contain $ne, $or, $where, or similar tokens

Mostly GETs for static assets like /favicon.ico

Only legitimate admin console activity at business hours

A steady stream of identical benign search queries

When is whitelisting field names inadequate by itself to stop NoSQLi?

When whitelisted values are concatenated into identifiers or used to construct raw query fragments

When you also validate types and lengths thoroughly

When you strip $-prefixed keys before validation

When you build queries only from whitelisted keys server-side

nosql 1 Quiz

Quiz

•

Instructional Technology

•

University

•

Practice Problem

•

Easy

Jigme Dema

Used 3+ times

FREE Resource

15 questions

Show all answers

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Which guarantee is often associated with relational databases but is not automatically provided by many document stores?

Always linear horizontal scaling

Built-in schemaless flexibility

Guaranteed fastest read latency

ACID transactional properties

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

When a web API blindly uses req.body as a query filter, what kind of user-supplied element most directly changes query semantics?

Trailing whitespace in string values

Extra JSON comments inserted by the client

Boolean flags encoded as strings

JSON query operators like $ne, $or, $gt

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

What developer habit most commonly opens an application to classic SQL injection (textual SQL manipulation)?

Using strict type definitions in DTOs

Sending all queries through a single DB access layer

Avoiding dynamic SQL entirely

Concatenating user input into SQL statement strings

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

What is the most important immediate code change when replacing db.collection.find(req.body) to stop operator injection?

Return raw DB documents to the client for debugging

Allow only XML input instead of JSON

Wrap the whole request body in a string and store it

Construct a new filter: extract expected fields, validate types, and only include those keys

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Which API-layer control most directly prevents clients from sending operator keys like $where?

Relying on client-side JavaScript to clean inputs

Using transport-layer encryption (TLS) only

Logging incoming requests but not rejecting them

Rejecting or stripping keys that start with $ and whitelisting allowed fields

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

What role does a JSON schema library (e.g., Joi) play alongside parameterized routes?

It replaces the DB user permission model

It makes client-side validation unnecessary

It converts find() into raw SQL internally

It validates input shape/types before building queries

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Which Mongoose-related benefit most helps prevent NoSQL operator injection?

Automatically running DB backups

Implicitly granting admin roles to the model

Automatically converting all objects to strings

Enforcing a schema so unexpected operator objects are rejected or cast

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

11 questions

Go Pointers

Quiz

•

University

10 questions

DATASTRUCT-ASSMNT

Quiz

•

University

20 questions

Business Intelligence

Quiz

•

University

12 questions

Malware Analysis

Quiz

•

University

20 questions

fun time ft

Quiz

•

10th Grade - University

10 questions

SQL Quiz

Quiz

•

University

20 questions

Comandos Básicos de MongoDB

Quiz

•

9th Grade - University

10 questions

Solve Problems with Data

Quiz

•

University

Popular Resources on Wayground

7 questions

History of Valentine's Day

Interactive video

•

4th Grade

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

15 questions

Valentine's Day Trivia

Quiz

•

3rd Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

20 questions

Context Clues

Quiz

•

6th Grade

Discover more resources for Instructional Technology

18 questions

Valentines Day Trivia

Quiz

•

3rd Grade - University

12 questions

IREAD Week 4 - Review

Quiz

•

3rd Grade - University

23 questions

Subject Verb Agreement

Quiz

•

9th Grade - University

5 questions

What is Presidents' Day?

Interactive video

•

10th Grade - University

7 questions

Renewable and Nonrenewable Resources

Interactive video

•

4th Grade - University

20 questions

Mardi Gras History

Quiz

•

6th Grade - University

10 questions

The Roaring 20's Crash Course US History

Interactive video

•

11th Grade - University

17 questions

Review9_TEACHER

Quiz

•

University