New to CAPEC? Start Here
Home > CAPEC List > CAPEC-676: NoSQL Injection (Version 3.6)  

CAPEC-676: NoSQL Injection

Attack Pattern ID: 676
Abstraction: Standard
Status: Stable
Presentation Filter:
+ Description

An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.

+ Extended Description

NoSQL database calls are written in an application's programming language, via a custom API call, or formatted in a common convention (e.g., JSON, XML, etc.), any of which the adversary can exploit to achieve the aforementioned goals. NoSQL attacks usually result from improper sanitization and validation of data that originates from a user, either via special character or JavaScript injection. In both cases, the adversary crafts input strings so that when the target software constructs NoSQL statements based on the input, the resulting NoSQL statement performs actions other than those intended by the application. However, unlike traditional SQL Injection attacks, NoSQL injection attacks can also occur in instances where the application does not rely upon user input, as is the case in operator replacements. This entails the adversary overriding reserved NoSQL variable names with ones that have been modified with malicious functionality (e.g., $where in MongoDB). In all cases, depending on the NoSQL API and data model used, successful injection can cause information disclosure, data modification, and code execution at the application level.

Note: NoSQL Injection attacks are executed within a procedural language (e.g., C, C++, Perl), as opposed to the declarative SQL language itself. As a result, NoSQL injection attacks can potentially result in greater impacts than traditional SQL Injection attacks [REF-668].

+ Likelihood Of Attack


+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.248Command Injection
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.460HTTP Parameter Pollution (HPP)
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Survey target application: Due to the number of NoSQL databases available and the numerous language/API combinations of each, the adversary must first survey the target application to learn what technologies are being leveraged and how they interact with user-driven data.

    Determine the technology stack leveraged by the target application, such as the application server, drivers, frameworks, APIs, and databases being utilized.
    Identify areas of the application that interact with user input and may be involved with NoSQL queries.
  1. Identify user-controllable input susceptible to injection: After identifying the technology stack being used and where user-driven input is leveraged, determine the user-controllable input susceptible to injection such as authentication or search forms. For each user-controllable input that the adversary suspects is vulnerable to NoSQL injection, attempt to inject characters or keywords that have special meaning in the given NoSQL database or language (e.g., "$ne" for MongoDB or "$exists" for PHP/MongoDB), or JavaScript that can be executed within the application. The goal is to create a NoSQL query with an invalid syntax.

    Use web browser to inject input through text fields or through HTTP GET parameters.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
    Use network-level packet injection tools such as netcat to inject input
    Use modified client (modified by reverse engineering) to inject input.
  2. Experiment with NoSQL Injection vulnerabilities: After determining that a given input is vulnerable to NoSQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, modify/delete information in the database, or execute commands on the server.

    Use public resources such as OWASP's "Testing for NoSQL Injection" [REF-668] or Null Sweep's "NoSQL Injection Cheatsheet" [REF-669] and try different approaches for adding logic to NoSQL queries.
    Iteratively add logic to the NoSQL query and use detailed error messages from the server to debug the query.
    Attempt an HTTP Parameter Pollution attack to replace language-specific keywords, such as "where" within PHP [CAPEC-460].
  1. Exploit NoSQL Injection vulnerability: After refining and adding various logic to NoSQL queries, craft and execute the underlying NoSQL query that will be used to attack the target system.

    Craft and Execute underlying NoSQL query
+ Prerequisites
Awareness of the technology stack being leveraged by the target application.
NoSQL queries used by the application to store, retrieve, or modify data.
User-controllable input that is not properly validated by the application as part of NoSQL queries.
Target potentially susceptible to operator replacement attacks.
+ Skills Required
[Level: Low]
For keyword and JavaScript injection attacks, it is fairly simple for someone with basic NoSQL knowledge to perform NoSQL injection, once the target's technology stack has been determined.
[Level: Medium]
For operator replacement attacks, the adversary must also have knowledge of HTTP Parameter Pollution attacks and how to conduct them.
+ Resources Required
None: No specialized resources are required to execute this type of attack.
+ Indicators
Too many false or invalid queries to the database, especially those caused by malformed input.
Executed queries or commands that appear to malicious in nature or originating from an untrustworthy source.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Modify Data
Read Data
Execute Unauthorized Commands
Access Control
Gain Privileges
+ Mitigations
Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as relevant NoSQL and JavaScript content. NoSQL-specific keywords, such as $ne, $eq or $gt for MongoDB, must be filtered in addition to characters such as a single-quote(') or semicolons (;) based on the context in which they appear. Validation should also extend to expected types.
If possible, leverage safe APIs (e.g., PyMongo and Flask-PyMongo for Python and MongoDB) for queries as opposed to building queries from strings.
Ensure the most recent version of a NoSQL database and it's corresponding API are used by the application.
Use of custom error pages - Adversaries can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.
Exercise the principle of Least Privilege with regards to application accounts to minimize damage if a NoSQL injection attack is successful.
If using MongoDB, disable server-side JavaScript execution and leverage a sanitization module such as "mongo-sanitize".
If using PHP with MongoDB, ensure all special query operators (starting with $) use single quotes to prevent operator replacement attacks.
Additional mitigations will depend on the NoSQL database, API, and programming language leveraged by the application.
+ Example Instances

The following examples primarily cite MongoDB, PHP, and NodeJS attacks due to their prominence and popularity. However, please note that these attacks are not exclusive to this NoSQL instance, programming language, or runtime framework.

Within NodeJS, Login Bypass attacks are possible via MongoDB if user-input is not properly validated and sanitized [REF-670].

//NodeJS with Express.js
"user": req.query.user,
"password": req.query.password

The above code works fine if the user were to submit a query like the following:

But an adversary could submit a malicious query such as the below, which would be interpreted by the code as follows:[$ne]=

//NodeJS with Express.js
"user": bob,
"password": {"&ne": ""}

This will result in a Login Bypass attack, as the query will succeed for all values where Bob's password is not an empty string.

MongoDB instances are also vulnerable to JavaScript Injection Attacks when user input is not properly validated and sanitized.

//PHP with MongoDB
db.collection.find({$where: function() {
return (this.username == $username) } } );

If the user properly specifies a username, then this code will execute as intended. However, an adversary can inject JavaScript into the "$username" variable to achieve a NoSQL Injection attack as follows:

//PHP with MongoDB
db.collection.find({$where: function() {
return (this.username == 'foo'; sleep(5000) ) } } );

This will result in the server sleeping for 5 seconds if the attack was successful. An adversary could supply a larger value to deny service to the application.

If leveraging PHP with MongoDB, operator replacement attacks are possible if special query operators are not properly addressed. The below example from OWASP's "Test for NoSQL Injection" displays a simple case of how this could occur.[REF-668]

db.myCollection.find({$where: function() {
return obj.credits - obj.debits < 0; } } );

Even though the above query does not depend on any user input, it is vulnerable to a NoSQL injection attack via operator replacement on the "$where" keyword. In this case, the adversary could exploit MongoDB in the following manner:

$where: function() { //arbitrary JavaScript here }
+ References
[REF-669] Charlie Belmer. "NoSql Injection Cheatsheet". Null Sweep. 2021-06-07. <>. URL validated: 2021-09-30.
[REF-670] Patrick Spiegel. "NoSql Injection: Fun with Objects and Arrays". The OWASP Foundation. <>. URL validated: 2021-09-30.
[REF-671] "NoSql Injection: Fun with Objects and ArraysNoSQL Injection Attacks and Prevention Techniques". WebOrion. 2019-06. <>. URL validated: 2021-10-11.
+ Content History
Submission DateSubmitterOrganization
2021-10-21CAPEC Content TeamThe MITRE Corporation
More information is available — Please select a different filter.
Page Last Updated or Reviewed: October 21, 2021