Open in app

Sign in

Write

Sign in

NoSQL Injection: A Walkthrough on PortSwigger’s Lab

Mr NumberX
3 min readSep 7, 2024

--

NoSQL databases, such as MongoDB, offer flexibility and scalability but can be vulnerable to NoSQL injection attacks if not properly secured. In this write-up, I’ll walk you through a NoSQL injection on one of PortSwigger’s labs. This will not only illustrate the vulnerability but also demonstrate how to exploit it effectively.

Lab Overview

We’re provided with the following scenario:

“The login functionality for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection using MongoDB operators. To solve the lab, log into the application as the administrator user.”

You can log into your own account using the credentials: wiener:peter

The lab interface is quite similar to other labs offered by PortSwigger. Let’s dive in.

Initial Setup: Capturing the Login Flow

First, log in using the provided credentials to observe the typical login flow. To do this, make sure your browser is configured to route traffic through Burp Suite’s proxy.

Once logged in, you’ll see that the login data (username and password) is sent as JSON. Now, let’s send this request to Burp’s Repeater for further analysis and tampering.

Exploiting NoSQL Injection

To begin, let’s experiment with logging into the “wiener” account using some NoSQL syntax without the correct password. By tampering with the password field, we can identify whether the application is vulnerable to NoSQL injection.

In this case, the payload $ne: "" (which stands for "not equal to an empty string") was inserted into the password field. This allowed us to bypass the password check and log in successfully, receiving a 302 Found response.

Finding the Administrator Account

Now that we know the password field is injectable, our next goal is to log in as the administrator. However, using the same payload directly for the admin account results in an “Invalid username or password” error.

This suggests that the password bypass technique works, but we need to identify the correct admin username. Fortunately, MongoDB’s $regex operator makes this easy.

By using the following syntax:


{
  "username": {"$regex": "admin.*"},
  "password": {"$ne": ""}
}

We instruct the database to find any username that begins with “admin” followed by any characters (thanks to .* in the regex). The password bypass payload will then log us in automatically.

Conclusion: Successfully Logging in as Admin

As expected, we receive a 302 Found response, along with the admin session cookie. By right-clicking the response in Burp Suite, we can request it in the browser with the original session, allowing us to log in as the administrator.

And there you have it! We’ve successfully solved the lab using NoSQL injection techniques.

Final Thoughts

This lab demonstrates how powerful and dangerous NoSQL injection can be when dealing with MongoDB. By leveraging MongoDB operators like $ne and $regex, an attacker can easily bypass authentication and gain unauthorized access. Always ensure your applications validate and sanitize input data to protect against such vulnerabilities.

Nosql Injection

--

--

Mr NumberX
Mr NumberX

Written by Mr NumberX

3 Followers
2 Following

Cybersecurity enthusiast | Passionate about pentesting, engineering, and web hacking.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams