Skill

nosql-injection

Detects NoSQL injection risks in MongoDB, Elasticsearch queries with user input. Enforces primitive type checks, blocks $where/$expr, prevents raw param passthrough.

MongoDB

security

database

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Protects against NoSQL injection where user input manipulates query operators or

SKILL.md

Similar Skills

exploiting-nosql-injection-vulnerabilities

Detects and exploits NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access during web penetration testing and API security reviews.

7 files

cybersecurity-skills-zh

exploiting-nosql-injection-vulnerabilities

5.9k

Detects and exploits NoSQL injection in MongoDB/CouchDB via JSON payloads for auth bypass and data extraction during web app pentesting and API security audits.

7 files

cybersecurity-skills

exploiting-nosql-injection-vulnerabilities

Detects and exploits NoSQL injection vulnerabilities in MongoDB and CouchDB for authentication bypass, data extraction during web app pentests and bug bounties.

asi

Stats

Stars13

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

NoSQL Injection Security Check (CWE-943)

What this checks

Protects against NoSQL injection where user input manipulates query operators or structure. Unlike SQL injection, NoSQL injection exploits operator injection ($gt, $ne, $regex) and JavaScript execution in database engines. Exploitation leads to authentication bypass, data exfiltration, and denial of service.

Vulnerable patterns

db.users.find({user: req.body.user, pass: req.body.pass}) — {pass: {$ne: ""}} bypasses auth
collection.find({"$where": f"this.name == '{user_input}'"}) — JS injection in $where
db.collection.find(JSON.parse(req.query.filter)) — arbitrary query operator injection
Model.find(req.query) — Mongoose passes raw query params as operators

Fix immediately

Flag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:

Every value destined for a query filter is type-checked as a primitive. Reject anything that isn't a string, number, or boolean before it reaches the query builder. The classic {pass: {$ne: ""}} auth bypass works because the deserialized JSON was allowed to be an object; type-coercing it to a string turns $ne into a literal that can't match.
$where, $expr, and $function never receive user-supplied values. These operators accept JavaScript or expression strings that the database engine evaluates; with user input in them, the database is an interpreter running attacker code.
Raw request bodies and query objects are not passed directly as filters. Build the query object explicitly from validated, named fields — the same allowlist discipline that defeats mass assignment (see the mass-assignment skill for ORM-side details).

Anchor — shape, not implementation:

require(isinstance(username, str))                 # reject objects / arrays
user = db.users.find_one({"username": username})   # primitive, not operator
# never: db.users.find({"$where": f"this.name == '{user_input}'"})
# never: collection.find(req.body)                 # operators smuggle in

Verification

Every value in a NoSQL query filter derived from user input is explicitly type-checked as a primitive (string, number) — not an object or array that could contain query operators
$where, $expr, and $function are never used with user-supplied values
Raw request bodies or query parameters are never passed directly as database query filters

References

CWE-943 (Improper Neutralization of Special Elements in Data Query Logic)