FixVibe

// probes / spotlight

NoSQL Operator Injection

MongoDB-style operators in user-controlled JSON turn your query into a wildcard.

Il gancio

NoSQL is not no-injection. The shape of the bug differs from classical SQLi — there's no string concatenation, no quote-escaping rituals — but the consequence is the same: the attacker controls part of a database query and uses that control to read or modify data they shouldn't. The bug rides in on JSON, slips past frameworks that proudly advertise 'no SQL means no SQL injection,' and lands in production codebases that copy-paste from the official MongoDB tutorials. Express + Mongoose + body-parser is the canonical recipe; FastAPI + Motor + a Pydantic gap is the same recipe with different ingredients.

Come funziona

NoSQL injection appears when untrusted request data changes database filter logic instead of being treated as a literal value. It often affects JSON-heavy APIs and authentication flows.

Il raggio d'azione

Authentication bypass is the headline impact — `{$ne: null}` against the password field matches every user. Mass data extraction follows: boolean blind oracles via `$regex` recover field contents one character at a time. Update-side exposure is real too: an admin endpoint accepting filter JSON can be tricked into matching unintended rows for an UPDATE or DELETE. In a multi-tenant SaaS the attacker reads across tenants. In an e-commerce app they read every order.

// cosa controlla fixvibe

Cosa controlla FixVibe

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Difese a prova di bomba

Cast input to its expected type at the boundary, before it reaches any query layer. Strings should be strings; numbers should be numbers; nothing should be an object unless your schema explicitly allows it. The cleanest path is schema validation with Zod, Yup, io-ts, or class-validator — each one has a `.string()` validator that rejects objects outright. Mongoose's strict schema also rejects unknown operator keys, but only if you've defined the schema and use it. As a second layer, sanitize at the HTTP boundary: `express-mongo-sanitize` strips `$`-prefixed keys from request bodies. Avoid `$where` entirely (deprecated in modern Mongo, never user-controllable). Use parameterized aggregation pipelines built server-side rather than constructing them from request input. As with SQLi, the structural fix — validating types before querying — eliminates the entire bug class. Spot-fixes (escape this one field, sanitize that endpoint) leave the next vulnerability waiting.

// run it on your own app

Continua a spedire mentre FixVibe vigila per te.

FixVibe mette sotto pressione la superficie pubblica della tua app come farebbe un attaccante — senza agent, senza installazione, senza carta. Continuiamo a studiare nuovi pattern di vulnerabilità e li trasformiamo in controlli pratici e fix pronti da incollare in Cursor, Claude e Copilot.

Sonde attive
127
test eseguiti in questa categoria
modules
48
controlli dedicati a sonde attive
ogni scansione
487+
test su tutte le categorie
  • Gratis — senza carta di credito, senza installazione, senza ping su Slack
  • Incolla un URL — pensiamo noi a crawl, sonde e report
  • Risultati classificati in base alla gravità, deduplicati solo per segnalare
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Esegui una scansione gratuita

// latest checks · practical fixes · ship with confidence

NoSQL Operator Injection — Vulnerabilità in primo piano | FixVibe · FixVibe