NoSQLi

Insert NoSQL query to bypass authentication and retrieve data from the database

By Ren Sie
Posted on July 30, 2025

Refer: OWasp A03:2021

NoSQL injection is similar to SQL injection in that it allows an attacker to manipulate or inject malicious input into a NoSQL query to retrieve, modify, or delete data. However, the key difference lies in the database type and query language.

  • SQLi
    • SQL database (E.g., MariaDB, MySQL, PostgreSQL)
    • Structure Query Language
  • NoSQLi
    • Semi-structured database (E.g., MongoDB, CouchDB)
    • JSON-like documents or key-value pairs

Types of NoSQLi

  1. Syntax injection: Attacker injects an unclosed string literal ('), to break the query’s logic.
  2. Operator injection: Attacker injects NoSQL operator ($gt, $lt, $eq, $ne, $regex, etc.) into the query, changing the query’s logic to return unintended results or bypass authentication.

Lab

  1. Detect NoSQLi, and retrieve hidden data.
    a. Using a single quote (‘) to break the query and trigger a server error.
    b. insert boolean/truthy expression payloads to manipulate the server response and reveal hidden items. 
      GET /filter?category=Pets '||'1'=='1
  GET /filter?category=Pets '||1|| '
  2. NoSQL operator injection to bypass authentication
    a. $regex operator to look for any username contain adm
    b. $ne operator to bypass password requirement. 
      {"username":{"$regex":"adm.*"},"password":{"$ne":""}}
Share: X (Twitter) Facebook LinkedIn