Introduction to NoSQL Injection

Introduction to NoSQL Injection  Medium

In this module, we will look at exploiting NoSQL injection vulnerabilities, specifically MongoDB, with examples in Python, PHP, and Node.JS.

Created by bmdyy

To start this course Sign Up!


NoSQL is an alternative to traditional SQL databases, and in this module, we will focus on attacking NoSQL injection vulnerabilities. We will look at MongoDB specifically since it is the most used NoSQL database in the world.

In this module, we will cover the following:

  1. Introduction: NoSQL, MongoDB, and NoSQL injection in MongoDB are explained
  2. Basic NoSQL Injection: We will walk through exploiting two different (basic) NoSQL injection vulnerabilities
  3. Blind Data Exfiltration: We will cover exploiting two different blind NoSQL injection vulnerabilities, including writing our own scripts to automate the process
  4. Tools of the Trade: We will cover fuzzing, and various public tools commonly used when testing for NoSQL injection vulnerabilities.
  5. Defending against NoSQL Injection: This chapter covers the 'correct' way to use MongoDB in various languages to avoid NoSQL injections
  6. Skills Assessment: You are given access to two websites where you must identify and exploit multiple NoSQL injection vulnerabilities alone.

This module aims to teach you enough about NoSQL injection (MongoDB) that you are comfortable exploiting vulnerabilities on your own.

This module is broken into sections with accompanying hands-on exercises to practice the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

As you work through the module, you will see example commands and command output for the topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the target host provided in the interactive sections or your virtual machine.

You can start and stop the module anytime and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as "medium" and assumes an intermediate knowledge of how web applications function and common attack principles.


  • Introduction to NoSQL
  • Introduction to NoSQL Injection
  • Bypassing Authentication
  • In-Band Data Extraction
  • Blind Data Extraction
  • Automating Blind Data Extraction
  • Server-Side JavaScript Injection
  • Automating Server-Side JavaScript Injection
  • Tools of the Trade
  • Preventing NoSQL Injection Vulnerabilities
  • Skills Assessment I
  • Skills Assessment II
To start this course Sign Up!