NoSQL injection exploits the query languages of non-relational databases ā MongoDB, CouchDB, DynamoDB, Redis. Unlike SQL injection, NoSQL injection typically involves: operator injection (using MongoDB operators like $gt, $ne, $regex in query parameters), JavaScript injection in MongoDB's server-side JavaScript evaluation, authentication bypass through operator manipulation, and data extraction through boolean-based or error-based techniques. Testing requires understanding the specific NoSQL database in use and its query syntax, as each database has different injection vectors.
Technical
NoSQL Injection: Attacking MongoDB, CouchDB, and Document Databases for Malaysian Enterprises
NoSQL databases are vulnerable to injection attacks different from SQL injection. Testing for operator injection and authentication bypass. Guidance for MY market.