Skip to content
Field Detail
Platform PortSwigger Web Security Academy
Type NoSQL Injection / Operator Injection
Difficulty Apprentice
Objective Inject MongoDB query operators into the login endpoint to authenticate as the administrator without knowing the password

Exploiting NoSQL Operator Injection to Bypass Authentication

I logged in as wiener:peter and intercepted the login POST:

{"username":"wiener","password":"peter"}

The request body is JSON — MongoDB operator injection is straightforward here. Unlike syntax injection (which breaks query strings with ' or {), operator injection substitutes valid JSON values with operator objects. The query structure stays valid; only the semantics change.

Testing whether operators are processed by substituting the username with a $regex expression:

{"username":{"$regex":"wie.*"},"password":"peter"}
Screenshot

Response redirected to /my-account?id=wiener — the regex matched and we authenticated. The server is passing the operator object directly to MongoDB without sanitizing it.

Targeting the admin account with $regex to match any username starting with adm and $ne to bypass the password check:

{"username":{"$regex":"adm.*"},"password":{"$ne":"teto"}}

$ne with a dummy value matches any password that isn't teto — which includes the real admin password. Combined with the username match, this authenticates as the first matching user without knowing credentials.

Screenshot
HTTP/2 302 Found
Location: /my-account?id=adminr756as2s

The redirect target leaked the actual admin username — information we didn't have before. $regex turns a login form into a username disclosure tool. I copied the session cookie into the browser:

Screenshot

Logged in as administrator.

Lab solved

Resources