NoSQL Injection
detect, understand, remediate
NoSQL injection exploits applications that pass unsanitised input to NoSQL database queries, allowing attackers to bypass authentication, extract data, or manipulate query logic using operators like $gt, $ne, and $regex.
No credit card required. Free plan available forever.
What is NoSQL injection?
NoSQL injection is an injection attack targeting NoSQL databases such as MongoDB, CouchDB, Redis, and DynamoDB. Classified under CWE-943, this vulnerability allows attackers to manipulate database queries by injecting NoSQL-specific operators or syntax into application inputs. While similar in concept to SQL injection, NoSQL injection exploits different mechanisms because NoSQL databases use JSON-based queries, JavaScript expressions, and operator-based filtering rather than structured SQL statements.
The most common form of NoSQL injection targets MongoDB, where attackers inject query operators such as $gt, $ne, $regex, and $where into application parameters. For example, submitting {"$ne": ""} as a password value can bypass authentication entirely because the query matches any document where the password is not empty. This type of attack is especially dangerous in Node.js applications where Express.js automatically parses JSON request bodies and query parameters into objects.
Despite the widespread adoption of NoSQL databases in modern application stacks, many developers assume that moving away from SQL eliminates injection risks. This misconception leads to insufficient input validation and a false sense of security. NoSQL injection can result in authentication bypass, data exfiltration, data modification, and in some cases (particularly with MongoDB's $where clause), arbitrary JavaScript execution on the database server. Regular testing with authenticated scanning tools is critical for identifying these vulnerabilities across all application endpoints.
How it works
Identify NoSQL query input
The attacker identifies input fields, API parameters, or JSON body values that are passed to NoSQL database queries. Login forms, search endpoints, and filter parameters are common targets.
Inject query operators
The attacker submits NoSQL operators ($gt, $ne, $regex, $exists) as parameter values. In MongoDB, sending {"username": "admin", "password": {"$ne": ""}} bypasses password validation.
Bypass auth or extract data
Successful operator injection allows the attacker to bypass authentication checks, enumerate database contents using $regex operators, or extract data by manipulating query conditions.
Escalate access
With initial access established, the attacker escalates by using $where clauses for JavaScript execution, extracting admin credentials, or manipulating application data to gain elevated privileges.
Common causes
Unsanitized JSON input in queries
Passing user-supplied JSON objects directly into MongoDB query methods like find(), findOne(), or updateOne() without stripping operator keys. Express.js body parsing automatically converts JSON strings to objects, enabling operator injection.
Query operator injection
Accepting object-type values where only strings are expected. When an application receives {"$ne": ""} instead of a string password, MongoDB interprets the operator and matches any non-empty value.
JavaScript execution in $where clauses
MongoDB's $where operator allows arbitrary JavaScript execution within queries. If user input reaches a $where clause, attackers can run JavaScript code on the database server to extract data or manipulate records.
String-to-object coercion
Query string parsers and body parsers that automatically convert nested bracket notation (e.g., user[$ne]=1) into JavaScript objects. This enables operator injection even through URL parameters and form submissions.
How to detect it
Automated detection
- SecPortal's authenticated scanner automatically tests endpoints with NoSQL operator payloads ($ne, $gt, $regex) to identify injection points in login forms, APIs, and search functionality
- Error-based detection identifies NoSQL injection by analyzing application error responses when malformed operators or invalid BSON types are submitted to database-backed endpoints
- SecPortal's code scanner identifies unsafe patterns such as direct user input in MongoDB query objects, missing type validation, and use of $where clauses with external data
Manual testing
- Submit {"$ne": ""} or {"$gt": ""} as password or authentication field values and observe whether authentication is bypassed
- Test query string parameters with bracket notation (e.g., ?username[$ne]=invalid) to check if the application's query parser converts them to operator objects
- Use $regex operator injection to enumerate database field values character by character, confirming data extraction capability and measuring the scope of the vulnerability
How to fix it
Validate and enforce input types
Explicitly check that all user inputs match their expected types before using them in database queries. If a field should be a string, reject any object or array values. Use typeof checks or schema validation libraries like Joi or Zod.
Use parameterized queries and sanitization
Sanitize all user inputs by stripping keys that begin with $ before passing them to database queries. Libraries like mongo-sanitize and express-mongo-sanitize automatically remove operator keys from request data.
Disable server-side JavaScript execution
Disable MongoDB's server-side JavaScript features by setting javascriptEnabled: false in the MongoDB configuration. Avoid using $where, mapReduce, and $accumulator operators that execute arbitrary JavaScript.
Implement strict type checking at the API layer
Define explicit schemas for all API endpoints using TypeScript, JSON Schema, or validation middleware. Reject requests where parameter types do not match the schema, preventing automatic type coercion from enabling injection.
Use an ODM with schema validation
Use an Object-Document Mapper like Mongoose with strict schema definitions. Mongoose schemas enforce field types at the application layer, preventing operator objects from being interpreted as query conditions. Enable strict mode to reject fields not defined in the schema.
Compliance impact
Related vulnerabilities
Detect NoSQL injection automatically
SecPortal tests for MongoDB operator injection, authentication bypass, and data extraction across all authenticated endpoints. Start free.
No credit card required. Free plan available forever.