NoSQL Injection in String Fields Fuzzer
| Item | Description |
|---|---|
| Full Fuzzer Name | NoSqlInjectionInStringFieldsFuzzer |
| Log Key | NSIISF |
| Description | This fuzzer sends NoSQL injection payloads into string fields to detect NoSQL injection vulnerabilities (MongoDB, CouchDB, and similar). It uses common operator-based payloads (e.g. $gt, $ne, $where, $regex, $or) and analyzes responses for signs of query manipulation, leaked database internals, or execution-style indicators. |
| Enabled by default? | Yes |
| Target field types | OpenAPI type string |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed field is optional | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively replaces each string field with NoSQL injection payloads and sends the request to the API: 1. By default, a curated top list of NoSQL payloads is used to reduce execution time. 2. If the --includeAllInjectionPayloads flag is enabled, a comprehensive payload set is used, including operator injections, boolean bypasses, $where JavaScript expressions, and advanced payloads. 3. Each payload is injected into one field at a time while keeping the rest of the request unchanged. 4. Each request is expected to be rejected with 4XX. |
| Conditions when this fuzzer will be skipped | When the request payload is empty OR no string fields are present in the request payload (base behavior inherited from BaseSecurityInjectionFuzzer). |
| HTTP methods that will be skipped | HEAD, TRACE (inherited from BaseSecurityInjectionFuzzer) |
| Injection evidence detection | Analyzes the response body for multiple NoSQL indicators, including: • Executable operator evidence: presence of NoSQL operators (e.g. $where, $regex, $gt, $ne, $or, $and) combined with JavaScript-like fragments (function, return, this.). • Mongo internals exposure: markers like ObjectId, _id, bson, mongodb, collection, db., pipeline. • Database error messages: strings like MongoError, unknown operator, invalid operator, errmsg, query failed, unexpected token. The fuzzer flags a likely vulnerability when two or more indicators are present in the same response. |
| Reporting | Reports error if: 1. The response contains multiple NoSQL indicators suggesting injection success or information disclosure. 2. Server responds with 5XX while processing injection payloads. 3. An unexpected response code is returned. Reports info if: 1. Injection payload is properly rejected with 4XX. 2. Injection payload is accepted with 2XX but no strong evidence is detected (validation gap; verify filtering/encoding and query construction). |