NoSQL Injection

Targets NoSQL databases using unstructured queries. These attacks typically exploit applications that handle user input unsafely when interacting with NoSQL databases.

Here is a typical example:

A NoSQL database modifies data from a document based on an ID value

Example request body

{
    "id": 1,
    "message": "hello"
}

We could use the NoSQL operators to retrieve data from another object.

Example payload

{
    "id": {"$ne": 0}, //Use the non-equal operator to make changes in all objects
    "message": "hello"
}

PreviousAuthentication Bypass NextMS SQL - xp_cmdshell Abuse

Last updated 4 months ago