# NoSQL injection

## What is it? 

NoSQL injection is where an attacker can manipulate the queries made to a NoSQL database through user input. 

**A simple example:** 

* A vulnerable web application has the endpoint /search?user={username} 
* When a request is made, the application queries a NoSQL database (e.g., MongoDB) like this: `db.users.find({username: {$eq: username}})` 
* If an attacker inserts a payload into {username} such as {"$ne": ""}, it may modify the query to retrieve all users. 
* The vulnerable application sends this query to the database, potentially leaking all usernames. 

It's important to note that payloads may vary depending on the database, query, and application. NoSQL injection can lead to: 

* Sensitive data exposure 
* Data manipulation 
* Denial of service 

**Other learning resources:**

**Writeups:**

*Have a good writeup & want to share it here? Drop me a message on LinkedIn.* 

## Checklist: 

* [ ] What is the technology stack you're attacking? 
* [ ] What NoSQL DB is being used (MongoDB, CouchDB, etc.)? 
* [ ] Verify injection points: 
  * [ ] URL parameters 
  * [ ] Form fields 
  * [ ] HTTP headers (e.g., cookies, etc.) 
  * [ ] Out-of-band (data retrieved from a third party) 
* [ ] Test with different operators: $eq, $ne, $gt, $gte, $lt, $lte, etc. 
* [ ] Can you trigger different responses? 
* [ ] Test for login bypass: {"$ne": ""} 
* [ ] Test for blind NoSQLi 
* [ ] Test for errors 
* [ ] Test for conditional responses 
* [ ] Test for conditional errors 
* [ ] Test for time delays 
* [ ] Test for out-of-band interactions 
* [ ] Is there a blocklist? 
  * [ ] Can you bypass the blocklist?

## Exploitation

```
# basic login bypass
{"username": "anyname", "password": {"$ne": ""}}
```

```
# retrieve data
{"$where": "this.someField == 'someValue'"}
```

```
# blind
{"someField": {"$regex": "^someValue"}}
```

## References & Resources

{% embed url="<https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection>" %}
OWASP WSTG - Testing for NoSQL
{% endembed %}

{% embed url="<https://portswigger.net/web-security/nosql-injection>" %}
PortSwigger NoSQL Injection
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/nosql-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.