This lab demonstrates a practical attack scenario where a MongoDB-backed user lookup feature is vulnerable to NoSQL injection, allowing an attacker to enumerate and extract administrator credentials.
- Detect NoSQL injection vulnerabilities via user input.
- Exploit logical operators to perform boolean-based blind injection.
- Enumerate password length and values using crafted payloads.
- Extract sensitive data from a misconfigured MongoDB backend.
Intermediate
45 minutes
- Basic knowledge of HTTP requests
- Familiarity with MongoDB queries
- Some experience with Burp Suite or similar tools
- Detection and exploitation of NoSQL injection flaws
- Blind enumeration techniques
- Crafting payloads for JavaScript-based backends
├── build/
│ └── web/ # Web application
│ ├── app.py
│ ├── requirements.txt
│ ├── templates/
│ └── static/
├── deploy/ # Production deployment
├── test/ # Test files
├── docker-compose.dev.yml # Development environment
└── test_lab.py # Standardized test script
# Start development environment
docker-compose -f docker-compose.dev.yml up -d
# Access the application
open http://localhost:3206# Start production environment
docker-compose -f deploy/docker-compose.yaml up -d
# Access the application
open http://localhost:3206# Run the standardized test script
python test_lab.py- Web Service: Flask application with vulnerable API endpoint
- Database Service: MongoDB 6.0 with persistent storage
- Vulnerability: JSON injection in user lookup endpoint
- Target: Extract administrator password
https://github.com/example/nosql-lab/issues
This is a deliberately vulnerable lab designed solely for educational purposes.