NoSQL Injection: Attacking MongoDB DynamoDB and Document Databases

NoSQL injection targets document databases like MongoDB, DynamoDB, and CouchDB by manipulating query operators and data structures rather than SQL syntax. Because NoSQL databases accept JSON objects as queries, attackers inject operator objects ($gt, $ne, $regex) where the application expects simple string values.

Classified under CWE-943 and OWASP A03:2021 – Injection, NoSQL injection exploits the misconception that "NoSQL databases are immune to injection." This has led to widespread vulnerabilities, particularly in Node.js applications using MongoDB without input type checking.

When user input is passed directly to MongoDB queries without type validation, attackers inject query operators:

// Vulnerable login endpoint
app.post('/login', async (req, res) => {
  const user = await db.collection('users').findOne({
    username: req.body.username,
    password: req.body.password
  });
});

An attacker sends: { "username": "admin", "password": { "$ne": "" } }

The $ne operator matches any non-empty password, bypassing authentication entirely.

Other Attack Vectors

• $regex extraction: Attackers extract data character-by-character using { "password": { "$regex": "^a" } }
• $where injection: MongoDB's $where accepts JavaScript expressions, creating a direct code injection vector
• DynamoDB: String concatenation in FilterExpression or KeyConditionExpression allows query manipulation

NoSQL injection is most common in Node.js + MongoDB applications where Express body parsing automatically converts JSON request bodies into objects:

• Authentication bypasses: Multiple MongoDB-backed applications have been found vulnerable to $ne and $gt operator injection on login endpoints, granting access to admin accounts.
• Data extraction: $regex-based blind injection has been used to extract passwords and tokens from MongoDB collections character-by-character.
• Masscan breaches (2017-2020): Thousands of publicly-exposed MongoDB instances were compromised, though these were primarily due to misconfiguration rather than injection.

CodeSlick identifies NoSQL injection patterns in JavaScript, TypeScript, and Python:

• Request body or query parameters passed directly to MongoDB query methods (find(), findOne(), updateOne()) without type checking
• $where operator usage with variable input
• DynamoDB expression string concatenation with user input

All findings include CWE-943 classification and AI-powered fix suggestions that add input type validation and sanitization middleware.