A deep dive of NOSQLi

Gupta Bless
4 min readOct 29


Like an SQL injection attacker able to inject code into commands for databases but here we do not use SQL queries such as MongoDB. As the name indicates “NO SQLI”, means non only SQL, databases that do not use SQL query language. Nowadays non-relational databases are growing to much popularity in case of cloud applications or web applications. These databases do not store data in tables but are very helpful in documents, graphs, objects etc.

In these types of injection attackers not only execute commands in the database but also in the application itself and seems to be more dangerous. As in the NOSQL database, we do not use a common query language, queries are written in the form of the application’s programming language. This language can be anything such as JavaScript, PHP, JAVA, MongoDB etc. In NOSQL databases, storing and retrieving the data is a little bit different than the traditional SQL relational tables.

If a user has username “ABCD” and Password is “ABCD@1234” when these fields make query in database it looks like:

db.collection.find( {“username”:”ABCD”,”password”:{ABCD@1234}”} )

So if we talk about MongoDB uses the binary JSON that uses a secure BSON assembly tool along with BSON objects so direct injection is not possible but it somehow includes the potential injection vectors that makes it vulnerable towards the injection attack.

How to Test

We need to submit fuzz strings in each input field and special characters that will trigger an error. Error can be related to the database or some other detectable behavior. If these input fields are not permanently sanitized by the applications.

We have an application to test whether the input field of the application is vulnerable and our aim is to manipulate the input field and see the product category listed over there.In the starting we need to insert a special char or fuzz string. So when I inserted ‘ in the application I am getting 500 internal server errors.

NOSQL injection vulnerability can occur in a variety of contexts so accordingly on the basis of error we need to decide further what we have to do. Otherwise we may simply get validation errors and our payloads never get executed. As in the…

Gupta Bless

Security enthusiast working to secure web for others.