HUNT-NOSQLI — NoSQL Injection

Crown Jewel Targets

NoSQL injection is most valuable when it bypasses authentication (Critical) or leaks the entire user collection (High).

Highest-value chains:

• MongoDB auth bypass — {"username": {"$gt": ""}, "password": {"$gt": ""}} logs in as first user in collection (usually admin)
• $where JS injection — if $where is enabled: blind injection → data exfil
• Redis command injection — via SSRF or direct TCP, SLAVEOF attacker-ip → config write → webshell
• Elasticsearch injection — _search endpoint with Groovy script injection (pre-5.0) → RCE

Attack Surface Signals