NoSQL Injection Testing Skill

Purpose

Validate NoSQL injection vulnerabilities by injecting special operators, JavaScript code, or malformed queries into user-controlled inputs and observing:

• Authentication bypass via operator injection (

  $ne

  ,

  $gt

  ,

  $regex

  )
• Data exfiltration via query manipulation
• JavaScript execution in databases supporting server-side JS (

  $where

  ,

  mapReduce

  )
• Boolean-based inference by comparing response differences
• Time-based inference via heavy operations or sleep-like constructs

Vulnerability Types Covered

1. Operator Injection (CWE-943)

Inject MongoDB query operators to manipulate query logic.

Detection Methods:

• {"$ne": ""}

  — not equal empty, bypasses equality checks

• {"$gt": ""}

  — greater than empty, returns all matching documents

• {"$regex": ".*"}

  — regex wildcard match

• {"$or": [...]}

  — logical OR injection

Example Attack:

// Normal: {"username": "admin", "password": "secret"}
// Attack: {"username": "admin", "password": {"$ne": ""}}
// Effect: Returns admin user regardless of password

2. JavaScript Injection (CWE-943)

Inject JavaScript in databases supporting server-side execution.

Detection Methods:

• $where

  clause injection:

  {"$where": "this.password.length > 0"}

• mapReduce

  function injection

• $function

  aggregation operator (MongoDB 4.4+)

Example Attack:

// Payload: {"$where": "sleep(5000) || true"}
// Effect: 5-second delay if JS execution enabled

3. Array/Object Injection (CWE-943)

Exploit type confusion when arrays or objects are passed where strings expected.

Detection Methods:

• username[$ne]=

  via query string (Express.js extended query parser)
• Array index manipulation:

  items[0]=malicious

4. Aggregation Pipeline Injection (CWE-943)

Inject into MongoDB aggregation pipelines.

Detection Methods:

• $lookup

  injection for cross-collection access

• $out

  or

  $merge

  for write operations

• $group

  manipulation for data extraction

Database-Specific Notes

$ne

$gt

$regex

$or

$where

mapReduce

$where

DEBUG SLEEP

Prerequisites

• Target reachable; NoSQL-backed functionality identified (API endpoints, forms, JSON bodies)
• Know (or infer) database type to select appropriate payloads
• If authentication required: test accounts available or mark paths UNVALIDATED
• VULNERABILITIES.json with suspected NoSQLi findings if provided

Testing Methodology

Phase 1: Identify Injection Points

• JSON POST bodies (most common for NoSQL APIs)
• URL query parameters (especially with extended query parsers)
• HTTP headers (authorization tokens, custom headers)
• Path parameters

Key Insight: NoSQL APIs typically accept JSON; look for object/array inputs where operators can be injected.

Phase 2: Establish Baseline

• Send a normal request; record status, content, and response time
• Note authentication/authorization behavior
• Identify error message patterns

Phase 3: Execute NoSQL Injection Tests

Operator Injection (Authentication Bypass):

# Baseline
baseline = post("/login", json={"username": "admin", "password": "wrong"})
# Expected: 401 Unauthorized

# Test with $ne operator
test = post("/login", json={"username": "admin", "password": {"$ne": ""}})
# If 200 OK: VALIDATED - operator injection bypassed auth

Operator Injection (Data Extraction):

# Baseline
baseline = get("/api/users?role=user")
# Expected: Returns only users with role="user"

# Test with $gt operator
test = get("/api/users?role[$gt]=")
# If returns more users: VALIDATED - operator injection expanded query

Boolean-Based Inference:

# True condition
true_resp = post("/api/search", json={"name": {"$regex": "^a"}})
# False condition
false_resp = post("/api/search", json={"name": {"$regex": "^zzzzz"}})
# Compare response lengths/content
if len(true_resp.text) != len(false_resp.text):
    status = "VALIDATED"

JavaScript Injection (if enabled):

# Time-based test
baseline_time = measure(post("/api/query", json={"filter": "normal"}))
test_time = measure(post("/api/query", json={"$where": "sleep(5000) || true"}))
if test_time > baseline_time + 4.5:
    status = "VALIDATED"

Phase 4: Classification Logic

Phase 5: Capture Evidence

Capture minimal structured evidence (redact PII/secrets, truncate to 8KB, hash full response):

• status

  ,

  injection_type

  ,

  cwe

• Baseline request (url/method/status/body hash)
• Test request (url/method/status/body hash)
• Payload used
• Authentication bypass details if applicable

Phase 6: Safety Rules

• Detection-only payloads; never destructive operations (

  $out

  ,

  db.dropDatabase()

  )
• Avoid data exfiltration; use boolean/time-based confirmation
• Do not execute arbitrary JS that modifies data
• Respect rate limits
• Redact credentials, tokens, and personal data in evidence

Output Guidelines

• Keep responses concise (1-4 sentences)
• Include endpoint, payload, detection method, and impact

Validated examples:

NoSQL injection on /login - $ne operator bypassed password check (CWE-943). Admin access without credentials.
MongoDB $where injection on /api/search - sleep(5000) caused 5.1s delay (CWE-943). Server-side JS execution confirmed.
Operator injection on /api/users - $gt operator returned all users instead of filtered set (CWE-943).

Unvalidated example:

NoSQL injection test incomplete on /api/data - operators rejected with 400 Bad Request. Evidence: path/to/evidence.json

CWE Mapping

Primary CWE (DAST-testable):

• CWE-943: Improper Neutralization of Special Elements in Data Query Logic
  • This is THE designated CWE for NoSQL injection
  • Alternate terms: "NoSQL Injection", "NoSQLi"
  • Covers: MongoDB, Cassandra, CouchDB, Redis, Elasticsearch, DynamoDB, and other NoSQL databases

Parent/Related CWEs (context):

• CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') — parent class
• CWE-20: Improper Input Validation — related root cause
• CWE-116: Improper Encoding or Escaping of Output — related mitigation failure

Sibling CWEs under CWE-943 (for reference):

• CWE-89: SQL Injection (separate skill)
• CWE-90: LDAP Injection
• CWE-643: XPath Injection
• CWE-652: XQuery Injection

Related Attack Pattern:

• CAPEC-676: NoSQL Injection

Note: Unlike SQL injection (CWE-89), NoSQL injection does not have a dedicated base-level CWE. CWE-943 at the class level is the correct mapping for NoSQL injection vulnerabilities per MITRE guidance.

Notable CVEs (examples)

• CVE-2024-50672 (eLearning Platform): NoSQL injection via Mongoose find function allowing password resets.
• CVE-2021-20736 (Rocket.Chat): NoSQL injection in team collaboration product.
• CVE-2021-22911 (Rocket.Chat): Blind NoSQL injection allowing admin account takeover.
• CVE-2020-35666 (PaaS Platform): NoSQL injection using MongoDB operator.
• CVE-2019-2389 (MongoDB): Information disclosure via aggregation pipeline.
• CVE-2017-18381 (KeystoneJS): NoSQL injection in password reset functionality.

Safety Reminders

• ONLY test against user-approved targets; stop if production protections trigger
• Do not log or store sensitive data; redact in evidence
• Prefer parameterized queries and input validation in mitigations
• Disable server-side JavaScript execution in production MongoDB (

  --noscripting

  )

Reference Implementations

• See

  reference/nosql_payloads.py

  for NoSQLi payloads by database type
• See

  reference/validate_nosqli.py

  for NoSQLi-focused validation flow
• See

  examples.md

  for concrete NoSQLi scenarios and evidence formats

Additional Resources

• OWASP NoSQL Injection
• PortSwigger NoSQL Injection
• CAPEC-676: NoSQL Injection
• HackTricks NoSQL Injection