loading
loading
Vulnerabilities
A fast NoSQL injection scanner and injector, with a focus on MongoDB.
overview
nosqli tests web targets for NoSQL injection, the class of flaw where attacker-controlled input reaches a NoSQL query and changes its logic. It focuses on MongoDB, the most common backend for this bug, and both detects injectable parameters and demonstrates the injection rather than only flagging a guess.
It fits real testing workflows. Point it at a URL with parameters, supply POST data, or load a full request saved from Burp or ZAP so headers and body match the application exactly. Force HTTPS, route through a proxy for inspection, and set a custom user agent when a target filters on it.
On Trickest, nosqli is a Vulnerabilities node that takes a target URL or request file and writes a file and a folder of results. Run it against endpoints a crawler or parameter-discovery stage surfaced, so injection testing concentrates on URLs that take user input.
use cases
Point nosqli at a parameterized URL to detect injectable inputs and confirm the injection, focusing on MongoDB-backed endpoints.
Load a request saved from Burp or ZAP so the scan reproduces the exact headers and body the application expects before injecting.
Supply default POST data so form and API endpoints get tested for injection, not only query-string parameters.
Route requests through a proxy to watch the injection payloads and responses while validating a finding by hand.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | --target | Target URL, e.g. http://site.com/page?arg=1. |
| request | FILE | --request | Load a request from a file, such as one generated in Burp or ZAP. |
| data | STRING | --data | Default POST data (without any injection strings). |
| https | BOOLEAN | --https | Always send requests as HTTPS (defaults to HTTP with request files). |
| proxy | STRING | --proxy | Proxy requests through this proxy URL. |
| user-agent | STRING | --user-agent | Specify a custom user agent. |
| config | FILE | --config | Config file. |
Showing key inputs. nosqli exposes 7 inputs in total.
example
# scan a parameterized URL for NoSQL injectionnosqli scan --target 'http://example.com/user/lookup?user=guest' --data 'role=user' --proxy http://198.51.100.10:8080Scanning http://example.com/user/lookup?user=guest Testing parameter: userTesting parameter: role Found the following NoSQL injections: Type: Boolean-based blind URL: http://example.com/user/lookup?user[$ne]=guest Param: user 1 injection found on http://example.com/user/lookupguidance
Use nosqli when an endpoint takes user input and the backend may be NoSQL, especially MongoDB. It is a focused injection scanner, so feed it parameterized URLs or captured requests from a crawl, and use sqlmap instead when the backend is a SQL database.
The standard for SQL injection. nosqli covers the NoSQL case sqlmap does not, so pick by backend type.
Parameter-focused scanner aimed at XSS. nosqli targets NoSQL injection on the same kind of parameterized endpoints.
Command-injection scanner. nosqli stays on the NoSQL query layer rather than OS command execution.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
Katana crawls a target for parameterized URLs, then nosqli tests them for NoSQL injection and writes the injectable endpoints as a queryable output.
Facts on this page come from the live Trickest tool library.