NoSQL Injection
What is NoSQL Injection?
NoSQL InjectionAn injection attack that manipulates the operators, JSON, or query DSL of a NoSQL database to bypass logic or extract data.
NoSQL injection exploits applications that build queries for document or key-value stores (such as MongoDB, CouchDB, or Elasticsearch) from untrusted input. Instead of injecting SQL syntax, attackers tamper with JSON structure, operators like $ne or $gt, or query-language fragments to authenticate without credentials, return arbitrary documents, or trigger server-side JavaScript evaluation when the engine supports it. Blind variants leak data through boolean or time-based behaviour. Defences include strict schema validation, casting inputs to expected primitive types, rejecting object payloads where a string is expected, using driver query builders with explicit operators, and applying least-privilege roles to database users.
● Examples
- 01
Sending {"username": "admin", "password": {"$ne": null}} to a MongoDB login that compares hashed passwords with a string.
- 02
Injecting a JavaScript expression into a $where clause to enumerate documents from a vulnerable endpoint.
● Frequently asked questions
What is NoSQL Injection?
An injection attack that manipulates the operators, JSON, or query DSL of a NoSQL database to bypass logic or extract data. It belongs to the Attacks & Threats category of cybersecurity.
What does NoSQL Injection mean?
An injection attack that manipulates the operators, JSON, or query DSL of a NoSQL database to bypass logic or extract data.
How do you defend against NoSQL Injection?
Defences for NoSQL Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for NoSQL Injection?
Common alternative names include: NoSQLi.