In previous posts I have talked about SQL injections. It is usually the first example of computer security that is given to a student: ” ´ or 1 = 1 — a “
However, this is only useful for servers that use relational databases, such as MySQL, MSSQL, Oracle. In the last decade another type of database has appeared: non-relational databases, such as Couch or MongoDB.
This type of database is used to store a large amount of unrelated data, data that do not fit into the typical tabular model of SQL databases, such as images, videos, social media, and so on.
The queries that are made to this type of non-SQL databases are very different from the SQL queries. Therefore, trying to put a quotation mark in a parameter will not work in these cases. However, this does not imply that they are free of injections. In this post I will show how and why noSQL injection works through proofs of concept. All examples are based on the book “The Hacker Playbook 3”.
%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
idoit = idiot
[…] familiar with SQL injections, I recommend you visit this post first. You should also take a look at noSQL injections from non-relational […]
Never heared about this kind of SQLi. Congrats!!