Security Hub

Bring your software development workflows to security

Redis Logo

Redis injection

Signals & Triggers

On Redis datastore access
If user inputs alter SQL query structure


  • prevent DB driver query execution Prevent db driver query execution
  • block incoming http request Block incoming http request
  • Send a slack notification Send a Slack notification
  • Send an email notification Send an email notification
  • POST to webhook


As opposed to relational databases, Redis does not rely on SQL but JSON to represent queries. When building the query, if a user input is not properly sanitized, an attacker can easily inject operators to alter the query structure. This leads to potential NoSQL injections.

If you consider the following query: { hidden: true }. If the value under the hidden key in the query is fed by the user input through the HTTP request query string or body, an attacker might be able pass the value { $ne: "" } for the query to return all the document, regardless of their hidden status.

Sqreen can detect queries that are vulnerable to Redis injections without false positives by acting inside the app at the driver level.

Advanced details

When the application starts, the Sqreen library hooks the main Redis drivers methods in order to catch queries about to be executed.

Next, on every database request, Sqreen parses locally the JSON query about to be executed. It looks for non sanitized operators coming from the user inputs, altering the original query structure and enabling an attacker to derive its original purpose.

No traffic redirection is performed. The analysis of the query happens inside the application, relying on Sqreen’s dynamic instrumentation of the Redis driver.

By being in-app and running just before the query is sent to the Redis server - the very last step in your app - we can guarantee a 100% non false positive detection and protection for NoSQL injections in Redis.

Language support

  • Ruby
  • Python
  • Node.js
  • Java

Data collected by Sqreen

No data collected

On attack
  • Redis queries
  • Request payload
  • Attacker IP
  • Attacker account (Sqreen SDK)

Build amazing products. Keep them safe.

Dive into Sqreen with our 14-day trial, and experience seamlessly security. Free Trial Request demo