NoSQL Injection

NoSQL databases like MongoDB use query objects instead of SQL strings, but they are still vulnerable to injection when user-supplied data is used directly in query operators.

Vulnerable example (Node.js + MongoDB):

// Attacker sends: { "password": { "$gt": "" } }
const user = await db.collection("users").findOne({
  username: req.body.username,
  password: req.body.password  // injected operator!
});

The $gt operator makes the password condition always true, bypassing authentication. Other operators like $where execute arbitrary JavaScript server-side, enabling data exfiltration.

Tautology attack example:

{ "username": { "$gt": "" }, "password": { "$gt": "" } }

This query returns the first document in the collection, effectively logging in as any user without knowing credentials.

The primary defense is to validate that query parameters are the expected type before using them in queries. Never trust object-shaped input from users.

// Safe — validate types before querying
const { username, password } = req.body;
if (typeof username !== "string" || typeof password !== "string") {
  return res.status(400).json({ error: "Invalid input" });
}
const user = await db.collection("users").findOne({ username, password });

Using Mongoose with strict schemas:

const UserSchema = new mongoose.Schema({
  username: { type: String, required: true },
  password: { type: String, required: true }
});
// Mongoose strict mode (default: true) rejects unknown fields
// Schema typing coerces values to strings, breaking operator injection

Defense checklist:

• Validate input types (string, not object)
• Use Mongoose with strict schemas
• Sanitize operator keys with libraries like mongo-sanitize
• Disable $where and server-side JS in MongoDB config