PortSwigger Web Academy: Detecting NoSQL Injection Lab
Hello, World! This blog post will serve as a walkthrough of PortSwigger’s Web Academy new NoSQL Injections labs, specifically lab #1, “Detecting NoSQL Injection.” Let’s go for it!
Glossary
NoSQL Database — refers to a database that does not implement table-based storage mechanisms but instead leverages an alternative storage model such as key-value pairs, graphs, or documents. These NoSQL databases also don’t use the standard SQL query language for CRUD operations.
Syntax Injection — an attack vector that breaks the NoSQL query and creates an opportunity to extend the query with your own payload (equivalent to standard SQL injection).
Operator Injection — an attack vector that leverages native NoSQL query language operators to manipulate the resulting operation performed on the backend NoSQL database.
MongoDB — the most popular NoSQL database that is a document-based database that uses a JSON-like object storage mechanism that allow complex data models and relationships.
Lab Walkthrough: Detecting NoSQL Injection
Objective
To solve the lab, perform a NoSQL injection attack that causes the application to display unreleased products.