Last year, I started working on a NoSQL injection framework, because I just didn't find a tool that suited my purposes. Other tools are too hard to automate in my workflow, or missed a lot of the simple test cases I tried.
$ nosqli NoSQLInjector is a CLI tool for testing Datastores that do not depend on SQL as a query language. nosqli aims to be a simple automation tool for identifying and exploiting NoSQL Injection vectors. Usage: nosqli [command] Available Commands: help Help about any command scan Scan endpoint for NoSQL Injection vectors version Prints the current version Flags: --config string config file (default is $HOME/.nosqli.yaml) -d, --data string Specify default post data (should not include any injection strings) -h, --help help for nosqli -p, --proxy string Proxy requests through this proxy URL. Defaults to HTTP_PROXY environment variable. -r, --request string Load in a request from a file, such as a request generated in Burp or ZAP. -t, --target string target url eg. http://site.com/page?arg=1 -u, --user-agent string Specify a user agent Use "nosqli [command] --help" for more information about a command. $ nosqli scan -t http://localhost:4000/user/lookup?username=test Running Error based scan... Running Boolean based scan... Found Error based NoSQL Injection: URL: http://localhost:4000/user/lookup?=&username=test param: username Injection: username='
I tried to keep a simple and flexible CLI interface for scanning. You can pass in a target URL with GET parameters that need to be scanned, or a saved request with POST data. The scanner is smart enough to know if the data is JSON or form data, and will inject either way.
The configurations currently support running through a proxy (so you can view the generated traffic in Burp or similar software) and changing the user agent.
NoSQLi has the most commonly found injection vectors implemented:
Error Scans: Look for known error strings in responses from the server.
Blind Boolean Injections: When the page doesn't return errors, but does return different data when
false is returned from the database (or when some records are retrieved vs. no records)
Timing based injections: When all else fails, if the database sends a delayed response after a successful injection.
Using NoSQLi with Requests
A key feature missing from a few scanners I tried previously was the ability to export a request from a proxy and run the injections based on that. NoSQLi can leverage this easily, and keeps all the header information, including things like user agent.
While the tool does not yet support importing a full session log and executing tests against all requests sequentially, saving a standard HTTP request to a file and referencing that file allows repeatable tests, or extraction from other tools such as Burp.
The github page has all the instructions. You can build from source or download and run the appropriate executable for your system.
Roadmap / Future features
I'd like to support data extraction and specific tests for NoSQL databases beyond MongoDB. If you have ideas, try it out and let me know what else you would like to see!