💉 Este JSON ridículamente corto sigue rompiendo logins de MongoDB en 2026
{"user":{"$ne":null},"pass":{"$ne":null}}
Eso es todo. Lo pegas en el body del login (Content-Type: application/json) y entras como el primer usuario que devuelva la base — casi siempre el admin.
¿Por qué funciona?
La app vulnerable hace algo como:
db.users.findOne({ user: req.body.user, pass: req.body.pass })
Mongo interpreta {"$ne": null} como operador → "dame cualquier doc donde user no sea null y pass no sea null". Match con todos. Login bypass.
¿Por qué sigue funcionando en 2026? Dos CVEs publicados en marzo lo confirman:
🎯 CVE-2026-30833 → Rocket.Chat (login bypass por inyección en username)
🎯 CVE-2026-29793 → FeathersJS MongoDB ({$ne: null} matchea toda la colección)
Probarlo HOY (gratis):
PortSwigger Web Academy → lab "Exploiting NoSQL operator injection"
HackTheBox → máquina Mango
Repos vulnerables tipo "node-mongo-login" en GitHub
💡 Pro tip: el bug no está en Mongo. Está en devs que pasan req.body directo al query sin validar tipos. Mongoose con sanitizeFilter o $eq explícito lo cierra en 2 líneas.
⚠️ Solo en programas de bug bounty, labs propios o entornos con autorización. Lo demás es delito.
¿Lo habían probado? ¿En qué CTF lo encontraron por primera vez?
#nosqlinjection #mongodb #pentesting #hackingetico #ciberseguridad #bugbounty #nosqli #ethicalhacking #cybersecurity #infosec #appsec
11
49
2,201
NoSQL Injection Exposes Admins and PII via ?search
A NoSQL injection via unsanitized search parameters exposes sensitive data from an Elasticsearch-backed API. By sending query_string style inputs in ?search, an attacker bypasses OAuth scopes, enumerates admins and PII, and reveals thousands of records with minimal auth.
Read more: medium.com/@thomasyoussef/no…
Discover the app: secwiser.com/app
#NoSQLInjection #ApplicationSecurity #WebSecurity #OWASP #VulnerabilityManagement #CyberSecurity #DataProtection #APIsecurity #Elasticsearch #TrendingTech #SecurityAwareness #Secwiser
3
تجربة حلوة ومباشرة فرقت معايا في فهم NoSQL Injection عملي مش نظري على Rootme
فيه تحديين بس وده الحل وطريقة الحل
t4t4r1s.github.io/posts/nosq…
#CyberSecurity #NoSQLInjection #RootMe #CTF #WebSecurity
1
14
423
19 Nov 2025
Day 28 — API7: Injection Vulnerabilities 💉
Learned SQL & NoSQL injection!
SQL: admin' OR '1'='1'-- bypasses login NoSQL: {"$ne": null} breaks MongoDB queries
Never trust user input. Always use parameterized queries!
#Day28 #APISecurity #SQLInjection #NoSQLInjection #OWASP
17
25 Sep 2025
🚨 New Writeup Alert! 🚨
"NoSQL Injection: Exploitation Techniques and Attack Scenarios " by Het Patel is now live on IW!
Check it out here: infosecwriteups.com/434ebec6…
#nosql #bugs #bugbountytips #nosqlinjection #bugbountywriteup
1
8
1,225
3 Sep 2025
From payloads to prevention: a primer on NoSQL injection for engineers - where it hides, how to test safely, and how Bright’s developer-first DAST verifies issues in CI. Read more here: bit.ly/3VsFhqJ
#NoSQLInjection #BuildSecurely #DAST #DevSecOps #BrightSecurity
25
14 Aug 2025
Beyond SQL: The Rise of NoSQL Injection Attacks
Think injection is just an SQL issue? Think again.
From MongoDB to Redis, attackers are exploiting weak queries.
🔍 Attack vectors
🛡️ Defenses
⚙️ Real-world examples
👉 payatu.com/blog/beyond-sql-e…
#NoSQLInjection #CyberSecurity
2
1
128
12 Jul 2025
🎉 Just completed the NoSQL Injection room on TryHackMe!
🛡️ Staying ahead of the attackers—one injection at a time.
#CyberSecurity #NoSQLInjection #TryHackMe #InfoSec #EthicalHacking #BugBounty #CyberTraining #HackThePlanet
1
41
21 May 2025
🚨 New Writeup Alert! 🚨
"From Recon to Root: A MongoDB NoSQL Injection Bug Bounty Journey " by Aditya Bhatt is now live on IW!
Check it out here: infosecwriteups.com/18e9cb30…
#cybersecurity #nosql #bugbounty #sqlinjection #nosqlinjection
3
650
18 May 2025
🚨 New Writeup Alert! 🚨
"Bypassing Login via NoSQL Operator Injection: A MongoDB Authentication Hack" by Aditya Bhatt is now live on IW!
Check it out here: infosecwriteups.com/b895211f…
#nosqlinjection #cybersecurity #bughunting #bugbounty #nosql
3
741
16 May 2025
🚨 New Writeup Alert! 🚨
" NoSQL Injection Detection — A hands-on Exploitation Walkthrough" by Aditya Bhatt is now live on IW!
Check it out here: infosecwriteups.com/03aaa19d…
#nosqlinjection #nosql #sqlinjection #cybersecurity #bugbounty
2
5
712
9 May 2025
Just wrapped up hardening an Express.js MongoDB app against XSS and NoSQL injection attacks. Sanitized inputs. Escaped where needed. Locked down query operators. Not vibe coding — building with intent. Security isn’t a bonus feature — it’s baseline.
#XSS #NoSQLInjection #OWASP
23
21 Mar 2025
Angular 19 Under Fire: Protect Your Database from SQL & NoSQL Injections! 🚀🔒
#Angular19 #CyberSecurity #WebDevelopment #SQLInjection #NoSQLInjection #DatabaseSecurity #DevCommunity
medium.com/@m.goschka/angula…
52
16 Feb 2025
Prevent NoSQL Injection in Laravel
Learn how to protect your Laravel app from NoSQL Injection attacks.
Read the full blog here: sites.google.com/view/free-w…
#NoSQLInjection #LaravelSecurity #PenetrationTesting #CyberSecurity #PHPDevelopment #WebVulnerability #WebsiteSecurity
2
23
19 Oct 2024
Just found a NoSQL injection bug & earned $500! 🐞💰 Always rewarding to help secure platforms and make the web a safer place. #BugBounty #NoSQLInjection #CyberSecurity #EthicalHacking link.medium.com/NDKW0QpyONb
1
32
9 Jul 2024
💉💉 New room NoSQL Injection from @tryhackme : A walkthrough depicting basic NoSQL injections on MongoDB. 💉💉
This is free and an updated of a previously released room
#tryhackme #NoSQL #sqlinjection #nosqlinjection
tryhackme.com/r/room/nosqlin…
1
73
14 May 2024
🚨Vulnerability Tuesday🚨
NoSQL Injection: a critical concern in database security.🛡️ Attackers can manipulate NoSQL queries, potentially leading to unauthorized access or data manipulation. Stay informed, Stay secure!🔐
#VulnerabilityTuesday #NoSQLInjection #SecurityBoat
1
4
195
Day 5 of 90 days challenge on @PentesterLab
Completed more in the exercises of Essential Bagde @Pentesterlab
#CodeExecution #CommandExecution #Webapplication #Pentesting #BugBounty #NoSQLinjection
1
7
379