← Lessons

quiz vs the machine

Gold1380

Security

NoSQL Injection

Why document stores are not immune to injection through operators and objects.

4 min read · core · beat Gold to climb

A Different Shape Of Injection

NoSQL injection targets document and key value stores by smuggling query operators or structured objects where the application expects a plain value. Because many drivers accept rich query objects, an attacker can change comparison logic without classic SQL syntax.

How It Happens

  • A login that compares a field to user input may accept an object that means not equal or greater than, matching any record.
  • Passing raw request bodies straight into a query lets attackers inject operator keys.
  • Server side JavaScript evaluation in some engines enables code execution.

Defenses

  • Validate types so a field that should be a string is never an object.
  • Use parameterized query builders and reject operator keys in user input.
  • Disable server side evaluation features unless strictly required.

Key idea

NoSQL injection abuses operator objects passed where values belong, so enforce expected types and reject operator keys before they reach the query.

Check yourself

Answer to earn rating on the learn ladder.

1. How does NoSQL injection usually differ from SQL injection?

2. Which control best prevents it?