In this article· 32 sectionsJump to any section of the article
- 1What Is NoSQL Injection?
- 2How NoSQL Injection Differs from SQL Injection
- 3Types of NoSQL Injection Attacks
- 4NoSQL Injection Examples in MongoDB
- 5NoSQL Injection in Other Databases
- 6How to Detect NoSQL Injection at Runtime
- 7NoSQL Injection Prevention Strategies
- 8WAF vs RASP for NoSQL Injection
- 9Testing for NoSQL Injection
- 10Frequently Asked Questions
Most NoSQL injection guides stop at the same recommendation: validate your inputs, use mongo-sanitize, parameterize your queries. All good advice. None of it explains what to do when those layers fail. Because they will fail. A new dependency ships with a bypass. A legacy endpoint never got the type check. A teammate adds a new field and forgets to update the schema.
This article covers what NoSQL injection actually is, the operator types attackers exploit in MongoDB and other NoSQL databases, real code examples in Node.js and .NET, and the runtime detection layer that catches what input validation misses. We will go beyond the standard “use sanitization libraries” advice and look at how to detect injection attempts at the database driver level, where they cannot be encoded or fragmented away.
If you build applications on MongoDB, Azure CosmosDB, RavenDB, Couchbase, or Redis, the techniques here apply to all of them. The specific syntax differs, but the underlying class of vulnerability, and the runtime defense against it, stays the same.
What Is NoSQL Injection?
NoSQL injection is a class of injection vulnerabilities where attackers manipulate database queries by injecting operators, objects, or JavaScript expressions instead of expected string values. Unlike SQL injection, which exploits SQL syntax through string concatenation, NoSQL injection exploits the JSON-based query operators ($ne, $gt, $where) used by databases such as MongoDB, CosmosDB, and RavenDB.
The vulnerability is cataloged under CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) and falls under OWASP A03:2021 Injection, the same top-ten category as SQL injection. It is not a separate, exotic risk. It is the same fundamental problem (untrusted input reaching a query) expressed in a different query language.
The reason NoSQL injection exists as a distinct class is that NoSQL databases do not share a single standardized query language the way relational databases share SQL. MongoDB uses MQL with JSON operators. Couchbase uses N1QL (SQL-like). RavenDB uses RQL with optional JavaScript patches. Redis uses its own command syntax plus Lua scripts. Each engine has its own injection vectors, and traditional input sanitization libraries built for SQL injection rarely cover all of them.
When successful, NoSQL injection allows attackers to bypass authentication, exfiltrate sensitive data, manipulate query results, cause denial-of-service through expensive operations, and in some cases execute arbitrary JavaScript on the database server. The impact is comparable to SQL injection. The defense mechanisms, however, are not the same.
How NoSQL Injection Differs from SQL Injection
The two attacks share the same root cause (untrusted input reaching a query without proper validation) but they exploit different mechanisms. Understanding the difference clarifies why prevention techniques designed for SQL injection do not fully protect a NoSQL application.
| Criterion | SQL Injection | NoSQL Injection |
|---|---|---|
| Typical vector | String concatenation (' OR 1=1 --) | Object/operator injection ({"$ne": ""}) |
| Query language | Standardized SQL | JSON/BSON, varies per engine |
| Common payloads | UNION SELECT, OR 1=1, comment escapes | $ne, $gt, $where, $regex |
| WAF detection | Mature signatures | Immature, easy to bypass via encoding |
| Common platforms | MySQL, PostgreSQL, MSSQL, Oracle | MongoDB, CosmosDB, Couchbase, Redis |
| Static analysis | Mature taint analysis | Limited (type tracking is harder) |
The key conceptual difference: SQL injection works by concatenating strings into a query that the database parses as SQL. NoSQL injection works by passing objects or types different from what the application expected, which the database driver then interprets as legitimate query operators.
If your authentication handler reads password from req.body expecting a string and an attacker sends { "$ne": "" } instead, the application happily passes that object to MongoDB. MongoDB sees a valid query operator. The login succeeds. No string concatenation. No SQL syntax. Just a type mismatch the application never checked for.
This is also why mongo-sanitize, which strips operators starting with $ or containing dots, is not a complete solution. It addresses the most common case but leaves others uncovered: $where reached through indirect paths, type juggling in fields the sanitizer does not process, and injection through JSON Schema bypasses.
Types of NoSQL Injection Attacks
NoSQL injection comes in several flavors. The classification matters because the detection and prevention techniques differ for each one.
1. Operator Injection ($ne, $gt, $lt, $regex)
The most common form. The attacker submits a JSON object containing a MongoDB query operator where the application expected a primitive value. The operator changes the semantics of the query without modifying its structure.
// Vulnerable: password expected as a stringapp.post('/login', async (req, res) => { const { username, password } = req.body; // Attacker sends: { "username": "admin", "password": { "$ne": "" } } // MongoDB query becomes: find user where password != empty string // → matches any user with any password const user = await User.findOne({ username, password }); if (user) return res.json({ success: true }); res.status(401).json({ error: 'Invalid credentials' });});The fix at this layer is type validation before the query: if (typeof password !== 'string') return res.status(400).json({ error: 'Invalid input' });. Simple, but it must be applied consistently across every endpoint that accepts user input.
2. JavaScript Injection ($where clause)
MongoDB supports executing JavaScript inside queries via the $where operator. When user input ends up in a $where clause, attackers can execute arbitrary JavaScript on the database server.
// Vulnerableconst filter = req.body.filter; // Attacker controls thisconst results = await db.collection('users').find({ $where: filter }).toArray();// Attack: "function() { while (true) {} }" -> server-side denial of service// Attack: data extraction via timing differences or boolean conditionsThe fix: disable JavaScript execution globally if you do not need it, or never pass user input into a $where clause. This is the most dangerous class of NoSQL injection because it crosses the line from data manipulation into code execution.
3. Type Juggling (Object vs String)
A subtype specific to dynamic languages like Node.js and PHP. The request body parser accepts objects or arrays where the application expected primitives. This is the underlying mechanism behind most $ne attacks. The fix is type enforcement before any query.
4. Tautology (Always-True Conditions)
The NoSQL equivalent of OR 1=1. Operators like {"$gt": ""} or {"$regex": ".*"} always evaluate to true. Used for authentication bypass or full-collection extraction.
5. Blind NoSQL Injection (Time-based or Boolean-based)
When the application does not return query results visibly, the attacker infers responses by observing timing or boolean differences. Time-based: inject $where with long-running JavaScript. Boolean-based: use $regex with progressively narrower patterns to extract data character by character. Detection at the application layer is hard: the requests look identical until you correlate hundreds of them.
NoSQL Injection Examples in MongoDB
These examples show realistic vulnerable code patterns next to their attack payloads and the fixes that close them. All examples are functional and copyable.
Example 1: Authentication Bypass via $ne
// VULNERABLE: Express + Mongooseapp.post('/login', async (req, res) => { const { email, password } = req.body; const user = await User.findOne({ email, password }); if (!user) return res.status(401).json({ error: 'Invalid credentials' }); res.json({ message: 'Login successful', user });});Attack payload (sent as JSON body):
{ "email": "admin@example.com", "password": { "$ne": "" } }MongoDB interprets { "$ne": "" } as “password is not equal to empty string,” which is true for every user that has any password set. The attacker logs in as the admin without knowing the actual password.
Fix:
app.post('/login', async (req, res) => { const { email, password } = req.body; if (typeof email !== 'string' || typeof password !== 'string') { return res.status(400).json({ error: 'Invalid input format' }); } // Now safe: both values are guaranteed strings const user = await User.findOne({ email, password }); if (!user) return res.status(401).json({ error: 'Invalid credentials' }); res.json({ message: 'Login successful', user });});Example 2: Data Extraction via $regex
// VULNERABLE: endpoint that searches users by usernameapp.get('/users/search', async (req, res) => { const { username } = req.query; const users = await User.find({ username }).select('username email'); res.json(users);});Attack: instead of ?username=alice, the attacker sends ?username[$regex]=^a. The Express query parser turns bracket notation into an object: { "$regex": "^a" }. MongoDB returns every user whose username starts with the letter “a.” By iterating through characters, the attacker enumerates the entire collection.
Fix: the same type validation as Example 1, or use Mongoose schemas with strict: true and explicit field types.
Example 3: Server Compromise via $where
// VULNERABLE: custom filter endpointapp.post('/reports/custom', async (req, res) => { const results = await db.collection('orders') .find({ $where: req.body.filter }) .toArray(); res.json(results);});Attack: the request body sends arbitrary JavaScript that runs on the MongoDB server. An infinite-loop payload like while(true) locks up server resources. A more sophisticated payload extracts data by encoding results in timing differences.
Fix: never let user input flow into $where. If custom filtering is required, build the query yourself using safe operators and validated field names from an allowlist.
Example 4: .NET / MongoDB.Driver Equivalent
// VULNERABLE: building a filter from raw BsonDocument inputpublic async Task<User> FindUser(string email, BsonValue password){ var collection = _database.GetCollection<User>("users"); var filter = new BsonDocument { { "email", email }, { "password", password } // attacker controls this BsonValue }; return await collection.Find(filter).FirstOrDefaultAsync();}The attacker passes a BsonDocument containing { "$ne": "" } as the password parameter. Same operator injection as the Node.js case.
Fix using FilterDefinitionBuilder with strict types:
public async Task<User> FindUser(string email, string password){ var collection = _database.GetCollection<User>("users"); var filter = Builders<User>.Filter.And( Builders<User>.Filter.Eq(u => u.Email, email), Builders<User>.Filter.Eq(u => u.Password, password) ); return await collection.Find(filter).FirstOrDefaultAsync();}The strongly-typed signature prevents the attacker from passing anything other than a string. The builder forces equality comparison, not operator interpretation.
NoSQL Injection in Other Databases
NoSQL injection is not exclusive to MongoDB. Any database that builds queries from user input is vulnerable, and each engine has its own vectors.
Azure CosmosDB
CosmosDB supports multiple APIs. The SQL API is vulnerable to SQL-like injection through its parameterless query interface. The Mongo API is vulnerable to the same operator injection as MongoDB. The most common mistake is using string concatenation with the SQL API instead of the official WithParameter() method, which produces parameterized queries that resist injection by construction.
RavenDB
RavenDB queries use RQL (Raven Query Language) and support patches through JavaScript. RQL injection occurs when user input flows into raw query strings. JavaScript patch injection happens when an attacker influences the script that modifies document state. Less common than MongoDB injection in the wild, but present in enterprise .NET stacks.
Couchbase (N1QL Injection)
Couchbase’s N1QL is SQL-like, which means N1QL injection looks almost identical to SQL injection. Tautologies (OR 1=1), comment escapes, and UNION-style attacks all work. The defense is the same: parameterized queries through Couchbase’s prepared statements API.
Redis (Command Injection)
Redis does not have a query language per se, but it does have commands. When applications build Redis commands from user input, particularly with EVAL running Lua scripts, command injection is possible. The attacker injects new commands or script payloads that run with the application’s database privileges.
Summary across engines:
| Database | Query Language | Common Injection Vectors | Severity |
|---|---|---|---|
| MongoDB | MQL / JSON | $ne, $gt, $where, $regex | High |
| CosmosDB (SQL API) | Cosmos SQL | SQL-like injection | High |
| CosmosDB (Mongo API) | MQL | Operator injection | High |
| RavenDB | RQL + JS patches | RQL injection, JS patch | Medium-High |
| Couchbase | N1QL | N1QL injection (SQL-like) | High |
| Redis | Commands + Lua | Command injection, EVAL injection | High |
How to Detect NoSQL Injection at Runtime
Most NoSQL injection guides stop after the prevention section. The runtime detection question, what happens when prevention fails, gets ignored. It should not. In my experience, the applications that get caught by NoSQL injection in production are not the ones with no defenses. They are the ones with defenses applied to most endpoints but not all. New dependencies introduce new bypasses. Legacy code never got the type checks. A team member adds an endpoint and forgets the validation.
There are three approaches to detecting NoSQL injection in running applications, and they have meaningfully different capabilities.
1. Pattern Matching at WAF Level
A traditional web application firewall (Cloudflare, AWS WAF, Imperva) sits at the network edge and inspects HTTP requests before they reach the application. It can be configured to look for known NoSQL injection patterns in request bodies and parameters: literal $ne, $where, bracket notation, and so on.
The limitation is that a WAF sees only the raw HTTP payload. It has no visibility into how that payload gets parsed, transformed, or routed inside the application. Attackers bypass WAF pattern matching through encoding (URL encoding, Unicode normalization), nested JSON structures the WAF does not parse the same way as the application, and content-type tricks. A determined attacker against a WAF-only defense is mostly slowed down, not stopped.
2. Static Analysis (SAST)
Static analyzers scan source code for vulnerable patterns: input from request body reaching a query without type validation, $where clauses with non-literal arguments, raw BsonDocument construction with external values. SAST is useful at build time and produces actionable findings during code review.
The limitation is that SAST sees code, not execution. It cannot tell you whether a vulnerability is being actively exploited in production, and it generates false positives because it cannot verify that a suspected vulnerable path is actually reachable with attacker-controlled input.
3. Runtime Detection (RASP / In-App WAF)
Runtime application protection intercepts at the database driver level. When the application is about to send a query to MongoDB or another NoSQL engine, the protection layer inspects the actual query object. It is already parsed, already constructed, already in the form the database will see.
This is fundamentally different from WAF inspection. There is no encoding to bypass at this point. The HTTP body has been parsed. The Express middleware has run. The Mongoose schema cast has happened. What the runtime detection sees is the final query, and it can apply two checks the WAF cannot:
- Operator inspection in fields that should be primitives. If
passwordis expected to be a string and the query object contains{ password: { $ne: "" } }, the runtime layer flags it. - Function-level context. The detection includes which handler triggered the query, the request signature, and a confidence score. False positives drop substantially because the detection has full execution context.
A runtime forensic record for a detected NoSQL injection looks roughly like this:
{ "detection": "nosql_injection", "subtype": "operator_injection", "operator": "$ne", "field": "password", "handler": "POST /api/login", "source_ip": "203.0.113.42", "confidence": 0.96, "action": "blocked", "timestamp": "2026-05-29T14:23:11Z"}That level of detail is what separates runtime detection from pattern matching. The defender does not get a vague “suspicious request” alert. They get the exact query, the field, the function, and the payload: enough to investigate and patch in minutes.
The ByteHide App Runtime implementation hooks into the database driver layer (Mongoose for Node.js, MongoDB.Driver for .NET) and applies these checks transparently. No code changes to the application logic. The protection lives below the schema validation and above the database call.
NoSQL Injection Prevention Strategies
No single technique is enough. Effective NoSQL injection defense uses several layers that compensate for each other when individual layers fail.
1. Strict Type Validation
The first and most important layer. Before any field touches a query, verify that its type matches the expected type. Most NoSQL injection attacks involve a value that should have been a string showing up as an object. A typeof check eliminates the entire class of operator injection at the application boundary:
if (typeof email !== 'string' || typeof password !== 'string') { return res.status(400).json({ error: 'Invalid input format' });}This is unglamorous code, but it stops most attacks. The mistake teams make is applying it inconsistently: one validated endpoint and twenty that are not.
2. Schema Validation Libraries
For larger applications, schema validation libraries enforce types at the request boundary in a more maintainable way. Zod (TypeScript-first), Joi (Node.js classic), class-validator (NestJS), and JSON Schema with AJV are all viable choices.
import { z } from 'zod';const LoginSchema = z.object({ email: z.string().email(), password: z.string().min(8)});app.post('/login', async (req, res) => { const parsed = LoginSchema.safeParse(req.body); if (!parsed.success) { return res.status(400).json({ error: 'Invalid input' }); } const { email, password } = parsed.data; // Both guaranteed to be strings of the right shape const user = await User.findOne({ email, password }); // ...});The schema becomes the contract. The application never sees unvalidated input.
3. Parameterized Queries and Safe APIs
Use the framework’s safe APIs instead of building queries by hand. Mongoose schemas with strict: true reject fields not defined in the schema and cast values to declared types. MongoDB.Driver’s FilterDefinitionBuilder produces typed filters that resist operator injection.
// .NET: strongly typed filter, cannot be poisoned with operatorsvar filter = Builders<User>.Filter.Eq(u => u.Email, userInput);4. Disable JavaScript Execution
If your application does not need $where or other JavaScript execution features, disable them at the database level. MongoDB supports running with --noscripting to refuse $where entirely. One configuration change closes the most dangerous class of NoSQL injection.
5. Least-Privilege Database User
The application user should have the minimum permissions required. Read-only endpoints connect with a read-only user. The user that authenticates customers does not also have rights to drop collections. Compromising application credentials should not give an attacker administrative access to the database.
6. Runtime Protection (RASP / In-App WAF)
The final layer catches what the previous five miss. Even with strict validation, schemas, parameterized queries, JavaScript disabled, and least-privilege users, things can still slip through: a new endpoint without validation, a third-party dependency with its own query construction, a bug in the schema that allows an unexpected type through. Runtime protection inspects the query just before it executes and stops the injection at the driver level.
This is not a replacement for the other five layers. It is the safety net beneath them. Production applications under active threat should have all six.
WAF vs RASP for NoSQL Injection
NoSQL injection sits in an awkward spot for traditional WAFs. The patterns are easier to encode and harder to signature than SQL injection, and the operator-vs-string nature of the attack means a WAF often cannot tell whether a suspicious-looking field is actually exploitable without seeing the application code.
| Capability | Traditional WAF | RASP / In-App WAF |
|---|---|---|
| Layer | Perimeter (HTTP) | Application (driver) |
| Visibility | Raw HTTP body | Parsed query object |
| Encoding bypass | Vulnerable | Immune (sees parsed form) |
| Operator detection | Pattern matching | Type-aware, context-aware |
| Forensic depth | URL, IP, headers | Function, payload, confidence score |
| False positives | High (no app context) | Low (full execution context) |
| Multi-DB support | Generic patterns | Driver-specific hooks |
| Deployment | Network reconfiguration | SDK in app |
The honest framing is that WAFs and RASP solve different problems. A WAF is excellent at filtering high-volume known-bad traffic before it hits your application: scanners, scrapers, brute force attempts, common payload signatures. It is not the right tool for detecting whether a specific JSON body, after being parsed by Express middleware and cast by a Mongoose schema, will reach a MongoDB query as an injection.
Runtime detection answers the second question by sitting where the answer is knowable: at the database driver level, after all parsing and casting has happened, before the query goes out. The two layers complement each other. For a deeper comparison of the two approaches across attack categories, see our RASP vs WAF guide.
Testing for NoSQL Injection
Verifying that your application is not vulnerable requires a combination of automated scanning and targeted testing.
NoSQLMap is the closest equivalent to sqlmap for NoSQL databases. It probes applications for common operator injection patterns, $where exploits, and authentication bypass attempts against MongoDB. Free, open source, and widely used in CTFs and pentests.
Burp Suite has community extensions for NoSQL testing, including NoSQLi-specific additions to the Repeater workflow. For manual testing against a specific endpoint, Burp is the standard tool.
The OWASP Testing Guide for NoSQL Injection walks through systematic testing techniques. The PortSwigger Web Security Academy has hands-on labs that cover most of the attack types described above.
For payload libraries, the PayloadsAllTheThings repository on GitHub maintains a comprehensive collection of NoSQL injection payloads sorted by database engine.
In CI/CD pipelines, automated DAST scanners (Invicti, Acunetix, Burp Enterprise) can include NoSQL injection checks. The findings are noisier than dedicated tools but useful for regression detection. Run them against pre-production environments, not production. DAST scanners can lock out admin accounts or fill databases with junk records when they hit a real vulnerability.
Frequently Asked Questions
What is NoSQL injection?
NoSQL injection is a class of injection vulnerabilities where attackers manipulate database queries by passing unexpected types (objects or arrays) or query operators instead of the primitive values the application expected. It is categorized under CWE-943 and falls within OWASP A03:2021 Injection. The attack does not modify SQL syntax. It exploits the JSON-based query operators used by NoSQL databases like MongoDB.
Is MongoDB vulnerable to NoSQL injection?
The MongoDB database engine itself is not the source of the vulnerability. The vulnerability lives in the application code that constructs queries from user input without validating types. Any MongoDB application that passes unvalidated req.body fields into find() or similar operations is vulnerable, regardless of the MongoDB version. Modern MongoDB versions have improved defaults (JavaScript execution can be disabled at the server level), but the application is responsible for input validation.
How is NoSQL injection different from SQL injection?
SQL injection works by injecting SQL syntax into a query through string concatenation. NoSQL injection works by passing objects or operators into a query through type juggling. SQL injection payloads look like ' OR 1=1 --. NoSQL injection payloads look like { "$ne": "" }. The impact (authentication bypass, data exfiltration, denial of service) is similar, but the defense mechanisms differ. Parameterized queries prevent most SQL injection but do not fully prevent NoSQL injection without additional type validation.
Can a WAF detect NoSQL injection?
A WAF can detect obvious NoSQL injection patterns: raw $ne, $where, and $regex strings in request bodies. But it sees only the unparsed HTTP payload. Encoding tricks, nested JSON structures, and content-type confusion can bypass pattern matching. WAFs are useful as a first line of defense for volumetric attacks but not sufficient for sophisticated NoSQL injection attempts. Detection at the database driver level catches what WAFs miss.
What is the best way to prevent NoSQL injection in Node.js?
Defense in depth across multiple layers. At the request boundary, use a schema validation library like Zod to enforce types on every field. In the data access layer, use Mongoose with strict schemas and explicit field types. At the database, disable JavaScript execution ($where) if not needed and grant the application user least-privilege permissions. At runtime, add a protection layer that inspects queries at the driver level to catch what the upper layers miss. No single technique is enough.
Does mongo-sanitize fully prevent NoSQL injection?
No. mongo-sanitize removes keys starting with $ or containing . from request objects. This stops the most common operator injection cases, but it does not stop type juggling in fields where the application expected a string and got an object that no longer contains explicit operators. It also does not protect against $where reached through indirect paths, JSON Schema bypasses, or operator injection in nested objects the sanitizer did not traverse. Treat it as one layer of defense, not the whole defense.
NoSQL injection has been around as long as NoSQL databases. The defense techniques are not exotic. Type validation, schema enforcement, parameterized queries, and least-privilege users have been standard advice for over a decade. What has changed is that applications now reach NoSQL databases through more layers (body parsers, ORMs, GraphQL resolvers, edge functions), and any of those layers can drop the type discipline that the next one assumes.
The runtime detection layer exists because that drop happens. Not because applications are written by careless developers, but because production code touches dependencies and refactors and new features faster than any single layer can catch up. Inspecting the query just before it reaches the database closes the gap that prevention alone cannot.
If you are evaluating runtime protection for a Node.js or .NET stack that uses MongoDB, CosmosDB, RavenDB, Couchbase, or Redis, ByteHide App Runtime detects NoSQL injection at the driver level across all five.
