Bypass Authentication

Most NoSQL databases support JSON format, so the attack has to be formatted in JSON. The attack can be at the application or database level, depending on whether the application or the database allows unsanitized commands to be passed.

Its most unlikely that the application has unsanitized input fields to accept JSON data and even if it does, there is a larger probability that the data is URL encoded and it loses its effectiveness.

In case the attack works at the application level, then the following data can be fed into the fields to direct the database to return,

"$ne":"admin" #for the username field
"$ne":"pass" #for the password field

If the attack were to be directly executed on the database, then the application has to be notified that the data submitted is JSON and it has to pass it directly to the database. So this becomes a 2-step attack,

Create the JSON data to be submitted to the database

{"username":{"$ne":"admin"}, "password":{"$ne":"pass"}}

Capture the data submitted using burp suite or any other network tools to modify the post data and a HTTP parameter

Content-Type: application/JSON

PreviousNOSQL Injection NextWordPress Scanner

Last updated 1 year ago