From Recon to Root: A MongoDB NoSQL Injection Bug Bounty Journey

The PortSwigger Web Security Academy includes a lab focused on exploiting a NoSQL injection vulnerability in a web application that uses a MongoDB backend.
The vulnerability allows an attacker to inject malicious JavaScript and NoSQL operators into a query without sanitisation.
The attacker is able to extract data by manipulating boolean-based logic within the queries.
This particular lab focuses on extracting an administrator’s password from the application in order to gain access.
The attacker first uses a Boolean-based payload to confirm that the vulnerability can be exploited, progressing to test the payload size.
Using a series of requests, the attacker is able to enumerate each character of the password, which has a length of eight characters.
With this information, the attacker is able to login to the administrator account.
The article ends with some tips for mitigating such vulnerabilities.

Fast Feed