EncryptCodecencryptcodec
Simulations/NoSQL Injection

NoSQL Injection

Intermediate

This MongoDB-backed application is vulnerable to NoSQL injection. Exploit operator injection, $where JavaScript execution, and then learn how to fix it with proper input validation.

Progress:
1
Operator Injection
2
$where Exploitation
3
Apply the Fix
app.io/api/login

MongoDB Login

MongoDB Query Constructed
db.users.find({
username: "...",
password: "..."
})

Challenges

1
Operator Injection
Bypass MongoDB login by injecting a comparison operator as the password value.
hints
2
$where Exploitation
Inject JavaScript into a MongoDB $where query to extract data.
hints
3
Apply the Fix
Configure the correct input validation to prevent NoSQL injection.
hints
How to fix NoSQL injection
Input validation and schema enforcement prevent operator injection

Frequently Asked Questions