A deep dive of NOSQLi

Gupta Bless
4 min readOct 29, 2023
Source

Introduction

Like an SQL injection attacker able to inject code into commands for databases but here we do not use SQL queries such as MongoDB. As the name indicates “NO SQLI”, means non only SQL, databases that do not use SQL query language. Nowadays non-relational databases are growing to much popularity in case of cloud applications or web applications. These databases do not store data in tables but are very helpful in documents, graphs, objects etc.

In these types of injection attackers not only execute commands in the database but also in the application itself and seems to be more dangerous. As in the NOSQL database, we do not use a common query language, queries are written in the form of the application’s programming language. This language can be anything such as JavaScript, PHP, JAVA, MongoDB etc. In NOSQL databases, storing and retrieving the data is a little bit different than the traditional SQL relational tables.

If a user has username “ABCD” and Password is “ABCD@1234” when these fields make query in database it looks like:

db.collection.find( {“username”:”ABCD”,”password”:{ABCD@1234}”} )

So if we talk about MongoDB uses the binary JSON that uses a secure BSON assembly tool along with BSON objects so direct injection is not possible but it somehow includes the potential injection…

--

--