Investigating NoSQL Injection Attacks on

MongoDB Web Applications

Hardi Matholia Oluwasola Mary Adedayo
Applied Computer Science Applied Computer Science
University of Winnipeg University of Winnipeg
Winnipeg, Canada Winnipeg, Canada
matholia.hardi@gmail.com m.adedayo@uwinnipeg.ca

Abstract—Modern web applications are increasingly data- manipulate queries sent to a NoSQL database, enabling them
intensive and handle a wide variety of semi-structured and to bypass authentication, extract or modify data, induce a
2025 13th International Symposium on Digital Forensics and Security (ISDFS) | 979-8-3315-0993-4/25/$31.00 ©2025 IEEE | DOI: 10.1109/ISDFS65363.2025.11011969

unstructured data. Traditional relational databases were not Denial of Service (DoS), or execute malicious code on the
designed to manage such data, and using them often leads to server. “The OWASP Top 10” [3] report lists injection attacks
complications in storage, retrieval, and performance as one of the most common security risks to web applications.
degradation. As a result, NoSQL databases have become more Despite the increasing interest in NoSQL database security,
popular in recent years. With key advantages such as high studies on NoSQL injections in MongoDB are still scarce, and
performance, scalability, and support for diverse data more comprehensive studies are needed to address these
structures, NoSQL databases are particularly well suited for
vulnerabilities.
handling large volumes of data, making them a popular choice
for small businesses seeking efficient storage solutions. This study investigates the most common NoSQL
However, storing sensitive information in these databases makes injection attack techniques targeting MongoDB, one of the
them targets for attackers aiming to steal data or compromise most widely used NoSQL databases. Using simulations, the
applications. One of the major security threats to NoSQL research aims to identify potential injection vulnerabilities in
databases is NoSQL injection, which attackers exploit to gain MongoDB-based web applications and evaluate mitigation
unauthorized access. This research investigates how MongoDB- techniques such as input validation, proper authentication
based web applications can be exploited through simulated
mechanisms, and query sanitization, to defend against NoSQL
NoSQL injection attacks, examines their impact, and evaluates
injection attacks. By simulating various attack scenarios, such
mitigation techniques to prevent these security risks. The
findings aim to help NoSQL database developers understand the as query manipulation and authentication bypass, this study
mechanisms of NoSQL injection attacks and implement provides valuable insights into the behavior and impact of
stronger security measures to protect sensitive data. NoSQL injection attacks, helping security professionals and
developers assess and address vulnerabilities effectively. The
Keywords—NoSQL Databases, MongoDB, Injection, study raises awareness of the risks associated with NoSQL
Simulation injection attacks. Insights from the different threats that we
explore, ensure that developers and security professionals are
I. INTRODUCTION better equipped to implement preventive measures and
NoSQL, or “Not Only SQL,” are database management mitigation strategies before deploying applications. Lastly,
systems (DBMS) designed to store and manage large volumes our research contributes to improving code quality by
of unstructured and semi-structured data. Unlike traditional suggesting ways to identify and fix vulnerabilities early in the
relational databases that rely on predefined schemas and development cycle.
tables, NoSQL databases offer flexible structures that can The rest of this paper is organized as follows: Studies in
evolve as needed. These databases can be easily scaled by relevant fields are discussed in Section II, a general
adding more servers to handle increasing amounts of data, introduction to NoSQL injection attacks and MongoDB is
making them ideal for modern web applications across various provided in Section III, and the methodology is presented in
industries. With the rise of cloud technology, big data, and Section IV. Section V describes our experiments and results
mobile applications, NoSQL databases have become the and Section VI concludes the article and highlights future
preferred choice for businesses seeking high performance and directions.
scalability. However, as NoSQL databases gain popularity,
they also face growing security challenges. Database security II. RELATED WORKS
has been and will continue to be one of the most critical SQL injection in relational databases has been extensively
aspects of application security [1]. studied. In [4], researchers proposed a static analysis
With the increasing amount of sensitive data and the rising technique to identify malicious parts in system source code.
number of cyberattacks and data breaches, ensuring database Another approach [5] utilized dynamic analysis, where the
security has become more crucial than ever. Unauthorized query is executed before being sent to the DB server, though
access to databases can lead to significant risks, including data it incurs overhead in generating the model at runtime.
theft, modification, or loss. As a result, it is crucial to protect Consequently, a combined approach that leverages both static
databases from unauthorized access and attacks to secure both and dynamic analysis was introduced in [6]. A more recent
company assets and user privacy. While SQL injection attacks study [7] presented a machine learning-based approach for
in relational databases have been well-studied, the emergence SQL injection detection. However, given that NoSQL
of new query formats in NoSQL databases makes previous databases store and process data differently research into how
approaches less applicable to NoSQL systems. However, injection attacks are carried out and how they affect NoSQL
NoSQL databases are not immune to injection attacks [2]. databases is required.
NoSQL injection is a vulnerability that allows an attacker to

979-8-3315-0993-4/25/$31.00 ©2025 IEEE

Authorized licensed use limited to: Addis Ababa University. Downloaded on September 09,2025 at 08:40:19 UTC from IEEE Xplore. Restrictions apply.
 There is limited research on NoSQL database security and
NoSQL injection. However, existing studies have shown that
the most severe threats to web applications are, the exposure
of sensitive data and unauthorized access to the system [10],
both of which can be carried out through injection attacks.
Researchers who have contributed to the area of web
application security have described the continuing challenge
faced by web applications and showed that current protection
techniques have several limitations [9, 10]. In their paper [8],
Gajanan et al. present the limitations of various traditional and
recent approaches for detecting and preventing web
application attacks. The challenges in the current web
application protection techniques have also been identified in
Fig. 1. NoSQL injection attack in web applications
[9].
Researchers in NoSQL security have shown that NoSQL Vulnerable web applications can allow attackers to gain
databases can be attacked, revealing that they are not immune unauthorized access to a NoSQL database and modify or
to security risks [11, 14]. In [11], the authors discuss the main delete data. Any web form, even a simple login form, signup
functionality and security features of the most common form or search box (where users can input or modify data),
NoSQL databases (Cassandra and MongoDB) and outline might provide access to back-end NoSQL databases. In
their security weaknesses. The techniques used to attack practice, the common reasons for a web application’s
NoSQL databases, such as injections and CSRF (an attack that vulnerability to NoSQL injection are improper filtering and
forces an authenticated user to perform unwanted actions on a poor validation for user input. These vulnerabilities can occur
web application), are presented in [2]. Additionally, some in any type of NoSQL system and can be exploited through
methods to mitigate these attacks on NoSQL databases are injection attacks, where user input is directly added to a query
also discussed [2, 12]. In their paper [13], Priyadharshini et al. without proper validation or sanitization. This can allow
proposed a model for designing an effective security attackers to manipulate queries or inject malicious JavaScript.
mechanism for NoSQL databases using the Kerberos network In this paper, we focus on addressing this in MongoDB which
authentication protocol. A method called DNIARS for is currently the most popular NoSQL database [18].
detecting NoSQL injection attacks in web applications via a A. MongoDB
RESTful service was introduced in [15], while NoSQL MongoDB is an open-source, document-oriented NoSQL
Racket, a testing tool for detecting such attacks, was presented database. It simplifies development by providing a wide range
in [16]. In [1, 17], researchers have analyzed NoSQL injection of capabilities within a single, managed platform. In
attacks in MongoDB, proposing defense strategies and MongoDB, data is stored as documents, which are similar to
methods to prevent such attacks. rows in a table in a SQL database. A collection is a group of
None of these reviewed works of literature provide a documents, much like a table in SQL. However, MongoDB’s
comprehensive analysis of NoSQL injection attacks specific flexible structure gives it some unique features. Each
to MongoDB. Therefore, this research aims to address these document is a data structure made up of key-value pairs,
gaps by exploring the various NoSQL injection techniques for similar to JSON objects as shown in Figure 2. These
MongoDB-based web applications and assessing potential documents can also include other documents, arrays, or even
mitigation strategies through simulations. arrays of documents, allowing for flexible and complex data
organization.
III. NOSQL INJECTION
One of MongoDB’s main advantages is its powerful query
“The OWASP Top 10” [3] report, which tests and language, which combines features from both object-oriented
evaluates the most critical threat categories against web and relational query languages. This flexibility allows
applications, lists injection attacks as one of the most common MongoDB to support a variety of queries and enables data
security risks to web applications. It defines injection as flaws indexing. MongoDB can handle millions or even billions of
that occur when an application sends untrusted data to an records, offering high scalability and performance. As a result,
interpreter. Injection flaws are very prevalent, particularly in it is used by many commercial projects, particularly those
legacy code and are often found in SQL, LDAP, XPath, or dealing with big data. Its efficiency, ease of deployment, and
NoSQL queries; OS commands; XML parsers, SMTP portability make it increasingly popular among developers
Headers, and program arguments [3]. Unlike SQL injection, and companies. However, like almost every new technology,
where malicious input targets relational databases, NoSQL NoSQL databases lacked security functionalities when they
injection exploits vulnerabilities in NoSQL databases, which first emerged [11]. The flexibility of MongoDB and other
use flexible, schema-less query languages that may be less
restrictive in input validation. NoSQL injection is a type of
vulnerability where an attacker can inject malicious code into
NoSQL queries through web page input controls. The attacker
takes advantage of poorly filtered or improperly escaped
characters within part of NoSQL statements and injects
arbitrary data into a string (e.g., through a login form) that is
eventually executed by the NoSQL database engine as shown
in Figure 1.
Fig. 2. Document in MongoDB

Authorized licensed use limited to: Addis Ababa University. Downloaded on September 09,2025 at 08:40:19 UTC from IEEE Xplore. Restrictions apply.
NoSQL databases, which do not require a fixed structure make
it harder to enforce certain security rules. As more web
applications shift towards using MongoDB databases, the
topic of injection in MongoDB is worth investigating because
databases are often targeted by attackers. This study examines
instances of MongoDB injection attacks through simulation
and evaluates mitigation strategies.
IV. METHODOLOGY
The methodology for this study involves simulating the
most common NoSQL injection attacks on a web application
built with Java, Spring Boot, and Angular, which interacts
with a MongoDB database. The following steps explain the
process used to carry out the attack simulations, collect
results, and analyze the effectiveness of various mitigation
techniques for MongoDB security.
A. Web Application Setup Fig. 4. MongoDB setup
To simulate real-world NoSQL injection attacks, a web
application modeling an online store that sells products and are always true (tautologies). For example, the syntax
allows searches was developed, as shown in Figure 3, using of the MongoDB $ne operator can be exploited as:
the following technologies: “db.users.find({ username: {“$ne”:
 Java: The backend of the application was developed null}, password: {“$ne”: null} })”
using Java 17, taking advantage of its features to create
a strong and reliable server-side application. which lets attackers illegally log in to the system
without appropriate credentials. The application
 Spring Boot: The application was built with Spring accepts a username and password as inputs from the
Boot 3.4.0, making it easier to quickly create RESTful user, but if the inputs are not sanitized, the attacker can
APIs for interacting with the MongoDB database. pass {“$ne”: null} to gain access.
 Angular: The front end of the web application was  Union Queries: This type of attack involves an
developed with Angular 19.0.2, which communicates attacker leveraging the UNION operator in MongoDB.
with the backend to send and receive data, allowing In this attack, the attacker exploits a vulnerable
users to interact with the application. parameter to alter the dataset returned by a query. For
B. MongoDB Setup example, in the query:
A MongoDB instance (8.0.4) was deployed and “db.products.find({ price: {“$ne”:
configured to store sample data that imitates a real-world web null}, $or: [{ productname: “laptop” }]
application as shown in Figure 4. A collection of sample data, })”
such as user credentials and product information, was an attack is demonstrated where the Boolean OR
populated. operator is exploited by adding expressions that are
C. Library of NoSQL Injection Attacks and Simulation always true. The example shows a scenario with a price
filter, where the application accepts the price from the
A library of potential NoSQL injection attacks was user. However, if the input is not sanitized, the attacker
created, and corresponding request payloads for each attack can pass the following query.
were integrated into the web application to test against
MongoDB. Various injection attack scenarios were then “{“$ne”:null}, $or:[{ productname:
simulated to assess the security vulnerabilities in the “laptop”}]”
application. The types of injection attacks simulated include:  JavaScript Injection: The $where operator in
 Tautologies: These attacks allow bypassing of MongoDB allows passing either a string containing a
authentication or access mechanisms by injecting code JavaScript expression or a full JavaScript function to
in conditional statements, generating expressions that the query system. An attacker can leverage this to
inject malicious scripts. Passing unsanitized user input
to these queries may allow the injection of arbitrary
JavaScript code, which could result in illegal data
extraction or alteration. Since JavaScript is powerful,
exposing such a vulnerability can be compared to
handing a machine gun to a top criminal. Hackers can
easily exploit such vulnerabilities to launch attacks that
threaten the web server, such as DDoS attacks. If the
parameter is deemed vulnerable, the malicious code
shown in Figure 5 would cause the server to run at
100% utilization for 10 seconds, resulting in a denial
of service.
Fig. 3. Home page of the web application

Authorized licensed use limited to: Addis Ababa University. Downloaded on September 09,2025 at 08:40:19 UTC from IEEE Xplore. Restrictions apply.
 malicious code often contains harmful characters, this
approach helps prevent unsafe data from being passed
through. By filtering out these characters, it becomes
more difficult for attackers to manipulate or bypass the
system. Since user input cannot be fully trusted, it is
essential to apply this defense by validating the input
after it is received from the browser. This can be
achieved by creating a server-side function that checks
and validates the user input.
Fig. 5. JavaScript Injection attack on MongoDB
 Parameterized statement: This approach involves
 Piggybacked Queries: It is a type of injection attack checking and filtering the variables in a parameterized
where an attacker injects additional queries into an statement. When writing conditional statements, this
existing query, causing the database to execute solution prevents user input variables from being
multiple queries in a single request. In piggybacked directly and automatically embedded into the
queries, attackers exploit assumptions in the condition statement. Instead, the contents of the user’s
interpretation of special characters in escape sequences input are filtered, and parameterized statements are
(such as termination characters like carriage return and used to pass the variables entered by the user.
line feed [CRLF]) to insert additional queries that are Parameterized statements allow for the repeated
executed by the database. This could lead to arbitrary execution of the same or similar database queries with
code execution by the attacker. Consider the example high efficiency, but without directly embedding user
shown in the query: input into the query. The way it works is by first
defining a NoSQL query structure and then passing the
“db.products.insert({name:“hacked!”});d user’s parameters later. This ensures that an attacker
b.dropDatabase();({})” cannot alter the intent of the query, such as inserting a
where the application accepts a name for insertion NoSQL command into the query parameters. By using
from the user. The attacker can use notation like “;” to this approach, the structure of the query is predefined,
append a query that could drop the entire database. making it very difficult for attackers to inject malicious
code.
D. Results Collection, Analysis, and Mitigation Evaluation
After executing the attack simulations, the results were V. RESULTS AND DISCUSSION
collected and analyzed to determine the success of each A. Tautologies
attack and its impact on the MongoDB database and the web
application. Based on the initial results, two mitigation The tautology attack aimed to bypass authentication by
strategies suggested by Hou et al. [1] were applied to reduce injecting a query that always evaluates to true. In the absence
the risk of NoSQL injection. These strategies included: of input validation, the attack successfully bypassed the login
mechanism and granted unauthorized access to the
 Input Validation: Input validation is designed to limit application. The results before mitigation, as shown in Figure
the type of data users can input. This form of validation 6, demonstrate that the application allowed an attacker to log
enhances security by blocking harmful or incorrect in with arbitrary credentials by exploiting a tautology. The
data from infiltrating the database. For example, in a login API call returned a 200 OK status, indicating successful
price filter scenario, the input should consist only of authentication.
numbers. Developers can implement regular
expression (regex) code to ensure that the input box After implementing parameterized queries and performing
accepts only numeric values. Regular expressions are input validation (by only accepting strings and not JSON
effective at preventing unwanted characters or objects as user input in the form fields), the attack was
notations from being input into the database. Since

Fig. 6 Tautologies Injection on MongoDB

Authorized licensed use limited to: Addis Ababa University. Downloaded on September 09,2025 at 08:40:19 UTC from IEEE Xplore. Restrictions apply.
successfully blocked. As shown in Figure 7, the attacker was
unable to bypass authentication.
B. Union Queries
To prevent union query NoSQL injection attacks in the
specific case of a price filter, input validation was
implemented to only accept numerical values, using a regex
pattern as shown in Figure 8. The purpose of the regex Fig. 9. JavaScript injection mitigation using Java OWASP library
expression was to restrict input to a safe format, allowing only
numbers and blocking any attempts at injecting malicious
NoSQL queries. This approach successfully prevented such
attacks in this scenario. Other regex expressions could be
created to handle different types of input, such as allowing
decimal values with a pattern like ^\d+(\.\d+)?$, or
enforcing specific formats or ranges for the input. The
underlying goal of using regex in this context is to sanitize the
input, ensuring it matches an expected and safe format, which Fig. 10. Piggybacked query attack on MongoDB from search input
helps mitigate the risk of NoSQL injection attacks.
shown in Figure 10 and Figure 11, causing significant damage
to the system.
C. Javascript Injection This type of attack was prevented by creating a Java
JavaScript injection attacks typically occur when service, as shown in Figure 12, that validates user input and
untrusted data is inserted into web pages or applications, disallows the use of semicolons. The Java service checks the
allowing an attacker to execute arbitrary JavaScript code. query string to see if a semicolon is present; if it detects one,
This risk was mitigated by properly sanitizing and validating it rejects the string and prevents the execution of the query in
the input using Java libraries like the OWASP Java Encoder, MongoDB. By rejecting inputs that contain semicolons, the
as shown in Figure 9, to escape potentially dangerous attack vector was effectively mitigated.
characters such as ¡, ¿, ”, ’, and &. E. Discussion and Implications
D. Piggybacked Queries The findings of this study highlight the ease with which
attackers can manipulate data in NoSQL databases,
Piggybacked queries often use semicolon notation (;) to
particularly MongoDB, using injection techniques that exploit
append additional queries, which can lead to NoSQL injection
weaknesses in query formation. MongoDB is vulnerable to
attacks. Before mitigation, the application was vulnerable to
NoSQL injection attacks due to the lack of built-in query
such attacks. For example, a query containing
parameterization and weak input validation.
“;db.dropDatabase()” could drop the entire database, as
The result described in the study can, however, be
translated to other NoSQL databases that also have such
limitations. As shown in our experiments, these attacks allow
attackers to bypass authentication, steal sensitive data, or even
drop the entire database.
The results indicate that both parameterized queries and
input validation effectively mitigate the most common
NoSQL injection attacks. Input validation filters out invalid
characters, while parameterized queries prevent direct
injection into the query structure. Together, these strategies
significantly reduce the risk of successful injection attacks in
MongoDB-based applications. Therefore, developers must
adopt proper input validation, robust authentication
Fig. 7. Tautologies attack mitigated

Fig. 8. Input validation service in Java to only allow numbers Fig. 11. MongoDB after dropDatabase executed through piggy
backed query attack

Authorized licensed use limited to: Addis Ababa University. Downloaded on September 09,2025 at 08:40:19 UTC from IEEE Xplore. Restrictions apply.
 against injection attacks and other security threats. Our
experiments show how these approaches can be used in the
scenarios that we explored.
Future work will entail studying more types of NoSQL
database attacks and developing approaches such as using
supervised machine learning to detect NoSQL injection. In
addition, the use of parsers to prevent NoSQL injection will
also be explored.
REFERENCES
[1] B. Hou, K. Qian, L. Li, Y. Shi, L. Tao, and J. Liu, “Mongodb NoSQL
injection analysis and detection,” in 2016 IEEE 3rd International
Conference on Cyber Security and Cloud Computing (CSCloud). IEEE,
2016, pp. 75–78.
[2] A. Ron, A. Shulman-Peleg, and E. Bronshtein, “No SQL, no injection?
examining NoSQL security,” arXiv preprint arXiv:1506.04082, 2015.
[3] OWASP, “Owasp top 10: 2021,” https://owasp.org/ www-project-top-
ten, 2021, [Accessed: Nov. 30, 2024].
[4] Z. Lashkaripour and A. G. Bafghi, “A security analysis tool for web
application reinforcement against sql injection attacks (sqlias),” in
2013 10th International ISC Conference on Information Security and
Cryptology (ISCISC). IEEE, 2013, pp. 1–8.
[5] G. Shrivastava and K. Pathak, “Sql injection attacks: Technique and
prevention mechanism,” International Journal of Computer
Applications, vol. 69, no. 7, 2013.
Fig. 12. Mitigation for piggybacked queries [6] I. Lee, S. Jeong, S. Yeo, and J. Moon, “A novel method for sql injection
attack detection based on removing sql query attribute values,”
mechanisms, and strong API security practices to prevent Mathematical and Computer Modelling, vol. 55, no. 1-2, pp. 58–68,
2012.
injection attacks.
[7] M.-Y. Kim and D. H. Lee, “Data-mining based sql injection attack
However, while input validation and parameterized detection using internal query trees,” Expert Systems with Applications,
queries provide strong mitigation for the NoSQL injection vol. 41, no. 11, pp. 5416–5430, 2014.
attacks observed in this study, it is important to recognize that [8] G. P. Bherde and M. Pund, “Recent attack prevention techniques in
web service applications,” in 2016 International Conference on
they may not address all possible attack scenarios in real- Automatic Control and Dynamic Optimization Techniques
world applications. For example, in the case of union queries, (ICACDOT). IEEE, 2016, pp. 1174–1180.
the approach used in this study successfully blocked such [9] V. Prokhorenko, K.-K. R. Choo, and H. Ashman, “Web application
attacks. However, this solution is scenario-specific. Even protection techniques: A taxonomy,” Journal of Network and
though input validation is essential, if union queries are Computer Applications, vol. 60, pp. 95–112, 2016.
permitted, it would be difficult to fully prevent an attacker [10] S. Hossain and K. A. Mahmud, “The pros and cons of modern web
from exploiting vulnerabilities. More types of database application security flaws and possible solutions,” 2018.
attacks such as blind injections, may also not be fully [11] L. Okman, N. Gal-Oz, Y. Gonen, E. Gudes, and J. Abramov, “Security
mitigated by these strategies alone. However, these attacks issues in NoSQL databases,” in 2011 IEEE 10th International
Conference on Trust, Security and Privacy in Computing and
were not included in this study as they were beyond the scope Communications. IEEE, 2011, pp. 541–547.
of the research. [12] N. Gupta and R. Agrawal, “NoSQL security,” in Advances in
Computers. Elsevier, 2018, vol. 109, pp. 101–132.
VI. CONCLUSION AND FUTURE WORK
[13] S. Priyadharshini and R. Rajmohan, “Analysis on database security
Information security plays a crucial role in the protection model against NoSQL injection,” Int. J. Sci. Res. Comput. Sci., Eng.
of systems and software, requiring developers and Inf. Technol, vol. 2, no. 2, pp. 168–171, 2017.
administrators to prioritize the security of databases, [14] E. Sahafizadeh and M. A. Nematbakhsh, “A survey on security issues
permissions, and firewalls. This study shows that NoSQL in big data and NoSQL,” Advances in Computer Science: an
International Journal, vol. 4, no. 4, pp. 68–72, 2015.
databases like MongoDB can be easily attacked, and this can
[15] A. M. Eassa, M. Elhoseny, H. M. El-Bakry, and A. S. Salama, “Nosql
lead to sensitive data being leaked, intercepted, or changed. In injection attack detection in web applications using restful service,”
this paper, we simulated and discussed different attacks that Programming and Computer Software, vol. 44, pp. 435–444, 2018.
may be carried out using NoSQL injection. The attacks [16] A. M. Eassa, O. H. Al-Tarawneh, H. M. El-Bakry, and A. S. Salama,
discussed in this paper are a few examples of the risks faced “Nosql racket: A testing tool for detecting NoSQL injection attacks in
by web applications. Although it is not impossible to web applications,” International Journal of Advanced Computer
demonstrate all possible attack scenarios, our experiments and Science and Applications, vol. 8, no. 11, 2017.
discussions show the key methods by which different attack [17] V. Sachdeva and S. Gupta, “Basic NoSQL injection analysis and
detection on MongoDB,” in 2018 International Conference on
scenarios can be carried out. Advanced Computation and Telecommunication (ICACAT). IEEE,
While it is not practical to block all potential entry points 2018, pp. 1–5.
to prevent NoSQL injection attacks, developers can [18] DB-Engines, “Db-engines ranking,” 2024, accessed: Nov. 30, 2024.
[Online]. Available: https://db-engines.com/en/ranking
significantly reduce risks by implementing input validation
and parameterized queries. These defense methods, when
applied correctly, can provide an effective layer of protection

Authorized licensed use limited to: Addis Ababa University. Downloaded on September 09,2025 at 08:40:19 UTC from IEEE Xplore. Restrictions apply.