💉 Este JSON ridículamente corto sigue rompiendo logins de MongoDB en 2026 {"user":{"$ne":null},"pass":{"$ne":null}} Eso es todo. Lo pegas en el body del login (Content-Type: application/json) y entras como el primer usuario que devuelva la base — casi siempre el admin. ¿Por qué funciona? La app vulnerable hace algo como: db.users.findOne({ user: req.body.user, pass: req.body.pass }) Mongo interpreta {"$ne": null} como operador → "dame cualquier doc donde user no sea null y pass no sea null". Match con todos. Login bypass. ¿Por qué sigue funcionando en 2026? Dos CVEs publicados en marzo lo confirman: 🎯 CVE-2026-30833 → Rocket.Chat (login bypass por inyección en username) 🎯 CVE-2026-29793 → FeathersJS MongoDB ({$ne: null} matchea toda la colección) Probarlo HOY (gratis): PortSwigger Web Academy → lab "Exploiting NoSQL operator injection" HackTheBox → máquina Mango Repos vulnerables tipo "node-mongo-login" en GitHub 💡 Pro tip: el bug no está en Mongo. Está en devs que pasan req.body directo al query sin validar tipos. Mongoose con sanitizeFilter o $eq explícito lo cierra en 2 líneas. ⚠️ Solo en programas de bug bounty, labs propios o entornos con autorización. Lo demás es delito. ¿Lo habían probado? ¿En qué CTF lo encontraron por primera vez? #nosqlinjection #mongodb #pentesting #hackingetico #ciberseguridad #bugbounty #nosqli #ethicalhacking #cybersecurity #infosec #appsec

تجربة حلوة ومباشرة فرقت معايا في فهم NoSQL Injection عملي مش نظري على Rootme فيه تحديين بس وده الحل وطريقة الحل t4t4r1s.github.io/posts/nosq… #CyberSecurity #NoSQLInjection #RootMe #CTF #WebSecurity

🚨 New Writeup Alert! 🚨 "NoSQL Injection: Exploitation Techniques and Attack Scenarios " by Het Patel is now live on IW! Check it out here: infosecwriteups.com/434ebec6… #nosql #bugs #bugbountytips #nosqlinjection #bugbountywriteup

Haven’t played with it much but seems fine too!

🚨 New Writeup Alert! 🚨 "From Recon to Root: A MongoDB NoSQL Injection Bug Bounty Journey " by Aditya Bhatt is now live on IW! Check it out here: infosecwriteups.com/18e9cb30… #cybersecurity #nosql #bugbounty #sqlinjection #nosqlinjection

🚨 New Writeup Alert! 🚨 "Bypassing Login via NoSQL Operator Injection: A MongoDB Authentication Hack" by Aditya Bhatt is now live on IW! Check it out here: infosecwriteups.com/b895211f… #nosqlinjection #cybersecurity #bughunting #bugbounty #nosql

🚨 New Writeup Alert! 🚨 " NoSQL Injection Detection — A hands-on Exploitation Walkthrough" by Aditya Bhatt is now live on IW! Check it out here: infosecwriteups.com/03aaa19d… #nosqlinjection #nosql #sqlinjection #cybersecurity #bugbounty

Prevent NoSQL Injection in Laravel Learn how to protect your Laravel app from NoSQL Injection attacks. Read the full blog here: sites.google.com/view/free-w… #NoSQLInjection #LaravelSecurity #PenetrationTesting #CyberSecurity #PHPDevelopment #WebVulnerability #WebsiteSecurity

🚨Vulnerability Tuesday🚨 NoSQL Injection: a critical concern in database security.🛡️ Attackers can manipulate NoSQL queries, potentially leading to unauthorized access or data manipulation. Stay informed, Stay secure!🔐 #VulnerabilityTuesday #NoSQLInjection #SecurityBoat

Day 5 of 90 days challenge on @PentesterLab Completed more in the exercises of Essential Bagde @Pentesterlab #CodeExecution #CommandExecution #Webapplication #Pentesting #BugBounty #NoSQLinjection

NEED HELP : I need tool to exploit NoSQLinjection pls , need it for POC Tried installing NoSQLmap didn't work for me cz it's based on Python2 #bugbounty #bugbountytips

🚨 SQL Injection Case Study MoveIT: ⚫ trustedsec.com/blog/critical… ⚫ blog.assetnote.io/2023/06/13… #sqlinjection #nosqlinjection #bugbounty #bugbountytips #moveit #appsec #securecoding #securecodnig_ir 👇

#bugbountytips #nosql #sqlinjection #nosqlinjection #rules

How to Prevent No-SQL Injection in Node.js via @gitconnected #javascript #security #nodejs #expressjs #nosqlinjection #100daysofcode #webdev #webdevelopment levelup.gitconnected.com/how…

This was an awesome talk and demo on API analysis and exploitation from @hAPI_hacker featuring some amazing real-time on-the-fly hacking (#NoSQLinjection #MongoDB) by @ChrisADale! This is very worth a watch, informative and fun!

Una app que utilice NoSQL también puede ser vulnerable. He subido un video sobre NoSQL Injections; Bypass de logins y dumps de collections; herramientas, un par de CVEs reales entre otros. #hacking #pentesting #webhacking #nosql #nosqlinjection youtu.be/MPePUFYbqc4

Discover and learn techniques to hacking apps with nosql backends in our latest post by @srkasthuri Check out: appsecco.com/blog/hacking-ap… #infosec #CybersecurityAwarenessMonth #appsecco #nosqlinjection #Pentesting

@N0_M3ga_Hacks Is going to conduct the session on the Anatomy of #NoSQLInjection. Time: 16th Oct 2022, 12:15PM RSVP: bit.ly/3SM1cGr #nullahm

@SynackRedTeam member @kuldeepdotexe discusses #NoSQLInjection in the latest blog. He details his most recent discovery on #NoSQLinjection and his reporting on how he managed the #vulnerability. 💻 Learn more here on #ExploitsExplained 🔗: syn.ac/3EBPkAH

This Thread is Saved to your Notion Workspace. These tags were saved to the thread [Nosqlinjection]