feat: Add NoSQL injection vulnerability guide

Open timlzh opened this issue 3 weeks ago • 0 comments

Adds a detailed NoSQL injection detection guide following the existing template structure.

Changes

✅ Added nosql_injection.jinja - NoSQL Operator injection, JavaScript execution, ODM exploitation, blind extraction techniques

Testing

Guide follows the established format and includes:

Critical context and scope
Methodology
Injection surfaces
Database-specific primitives (MongoDB, CouchDB, Redis, Cassandra, Neo4j)
Authentication bypass techniques
Data extraction methods
WAF/filter bypasses
Validation criteria
Pro tips

Examples

MongoDB Operator Injection

Authentication bypass: {"username": {"$ne": ""}, "password": {"$ne": ""}} Regex extraction: {"password": {"$regex": "^a.*"}} for character-by-character enumeration Query string notation: ?username=admin&password[$ne]=wrongpass

JavaScript Execution

$where clause: {"$where": "sleep(5000)"} for timing-based detection $function operator (MongoDB 4.4+): Server-side JS in aggregation pipelines Object.keys() enumeration for field discovery

Blind Extraction

Binary search via regex ranges: ^[a-m] vs ^[n-z] Timing oracle: conditional sleep in $where clauses ReDoS patterns: {"$regex": "^(a+)+$"} for pathological backtracking

WAF Bypasses

URL encoding: %24ne instead of $ne JSON unicode escapes: \u0024ne Operator alternatives: $not instead of $ne, $nin for negation

Framework-Specific Issues

Mongoose: find(req.body) without sanitization PyMongo: Unsanitized dictionaries from JSON input GraphQL + MongoDB: Operator injection via variables

Dec 03 '25 16:12 timlzh