| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | NoSQL Injection / Operator Injection |
| Difficulty | Apprentice |
| Objective | Inject MongoDB query operators into the login endpoint to authenticate as the administrator without knowing the password |
Exploiting NoSQL Operator Injection to Bypass Authentication¶
I logged in as wiener:peter and intercepted the login POST:
{"username":"wiener","password":"peter"}
The request body is JSON — MongoDB operator injection is straightforward here. Unlike syntax injection (which breaks query strings with ' or {), operator injection substitutes valid JSON values with operator objects. The query structure stays valid; only the semantics change.
Testing whether operators are processed by substituting the username with a $regex expression:
{"username":{"$regex":"wie.*"},"password":"peter"}
Response redirected to /my-account?id=wiener — the regex matched and we authenticated. The server is passing the operator object directly to MongoDB without sanitizing it.
Targeting the admin account with $regex to match any username starting with adm and $ne to bypass the password check:
{"username":{"$regex":"adm.*"},"password":{"$ne":"teto"}}
$ne with a dummy value matches any password that isn't teto — which includes the real admin password. Combined with the username match, this authenticates as the first matching user without knowing credentials.
HTTP/2 302 Found
Location: /my-account?id=adminr756as2s
The redirect target leaked the actual admin username — information we didn't have before. $regex turns a login form into a username disclosure tool. I copied the session cookie into the browser:
Logged in as administrator.
Lab solved