A purposely vulnerable NodeJS and MongoDB application
Multiple ways to do NoSQL Injection on Mongo. More to be added.
Docker is the simplest way to get the app running. Just run the following
docker-compose build
docker-compose upnavigate to http://localhost:4000
You'll need to install and run a local Mongo instance. On Ubuntu, it's as simple as apt install mongodb. Once running, you may have to specify the db path, or update the config.
$ sudo mongod --dbpath /var/lib/mongodbAdd environment variables MONGO_PORT and MONGO_HOST if not running on localhost and default port. Once mongo is running successfully, start nodemon
cd app; nodemon serverNavigate to http://localhost:4000
Click on the populate / reset data link on the homepage to load in some users.
https://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html https://scotch.io/@401/mongodb-injection-in-nodejs https://isc.sans.edu/forums/diary/Attacking+NoSQL+applications/21787/