PortSwigger Web Academy: NoSQL Operator Injection Auth Bypass
Hello, World! This blog post will serve as a walkthrough of PortSwigger’s Web Academy new NoSQL Injections lab #2, “Exploiting NoSQL operator injection to bypass authentication.” Let’s go for it!
Glossary
NoSQL Database — refers to a database that does not implement table-based storage mechanisms but instead leverages an alternative storage model such as key-value pairs, graphs, or documents. These NoSQL databases also don’t use the standard SQL query language for CRUD operations.
Syntax Injection — an attack vector that breaks the NoSQL query and creates an opportunity to extend the query with your own payload (equivalent to standard SQL injection).
Operator Injection — an attack vector that leverages native NoSQL query language operators to manipulate the resulting operation performed on the backend NoSQL database.
MongoDB — the most popular NoSQL database that is a document-based database that uses a JSON-like object storage mechanism that allow complex data models and relationships.
