fix: added NoSQL scenario example

Author: IgorSasovets

2019/en/src/0xa8-injection.md

@@ -60,6 +60,30 @@ vulnerable firmware:
 $ curl -k "https://${deviceIP}:4567/api/CONFIG/restore" -F 'appid=$(/etc/pod/power_down.sh)'
 ```
 
+### Scenario #3
+
+We have MEAN stack application with basic CRUD functionality for operations with
+bookings. Attacker managed to identify that NoSQL injection might be possible
+through `bookingId` query string parameter in delete booking request.
+Request looks like:
+`DELETE /bookings?bookingId=678`
+
+On server side, application uses the following function to handle a request:
+
+```
+router.delete('/bookings', async function (req, res, next) {
+  try {
+      const deletedBooking = await Bookings.findOneAndRemove({'_id' : req.query.bookingId});
+      res.status(200);
+  } catch (err) {
+     res.status(400).json({error: 'Unexpected error occured while processing a request'});
+  };
+```
+
+Attacker intercepted the request and changed bookingId query string parameter as below:
+`DELETE /bookings?bookingId[$ne]=678`
+As a result, an attacker managed to delete another user booking.
+
 ## How To Prevent
 
 Preventing injection requires keeping data separate from commands and queries.