NoSQL Injection

Also known as: NoSQLi

An injection attack against document, key-value or graph databases where attacker-controlled operators or JavaScript are smuggled into query objects.

NoSQL injection targets databases such as MongoDB, CouchDB, DynamoDB or Redis that expose query languages built from JSON documents, BSON, or embedded JavaScript. Instead of breaking out of strings, an attacker manipulates structure — for example sending a JSON body with operators like {"$ne": null} or {"$where": "..."} to bypass authentication, dump documents, or execute server-side JavaScript. Object deserialization in dynamic languages (PHP, Node.js) often makes the attack trivial because user input becomes part of the query DSL. Defences include strict input typing and schema validation, denying user-supplied operators, parameterized client APIs, disabling server-side JavaScript, and least-privilege database roles.

Examples

Submitting {"username": "admin", "password": {"$ne": ""}} to a MongoDB login endpoint to bypass the password check.
Abusing {"$where": "sleep(5000) || true"} to enumerate data via timing differences.

NoSQL Injection

Examples

Related terms

SQL Injection

Command Injection

Input Validation

Insecure Deserialization

OWASP Top 10

Broken Authentication

Definition

Examples

Related terms

SQL Injection

Command Injection

Input Validation

Insecure Deserialization

OWASP Top 10

Broken Authentication