AppSec Tales XXI | NoSQLI

Karol Mazurek
6 min readNov 4, 2023

Application Security Testing for NoSQL Injections.

INTRODUCTION

The article describes how to test the application to find NoSQL Injection vulnerabilities in various databases that do not use SQL (Structured Query Language), such as:

Source: NoSQL Database — What is NoSQL? | Microsoft Azure

Furthermore, you will find payloads for testing Cypher Query Language.

It is good to read AppSec Tales XIII | SQLI first if you have not already.

GUIDELINES

In the below guidelines, I assume that you identified the application entry points described in the AppSec Tales XI | Input Validation:

The below table shows an overview of the guidelines:

Guidelines start from identifying the database, but relying solely on this during black box testing is not recommended. The application may use a vulnerable third-party mechanism susceptible to NoSQL attacks, so it is crucial to use all payloads anyway.

I. DB IDENTIFICATION — PORT SCAN

Conduct a port scan with a banner grabbing on the target.

  • Use nmap to conduct a full port scan with a banner grabbing because sometimes the database can work on different ports:
nmap -p- -sV TARGET_IP

--

--