What is the "NoSQL injection → auth bypass → admin" attack path?

Login endpoint passes user-supplied JSON into a MongoDB query. Send {"$ne": null} to bypass the password check. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Exfil sensitive collections (T1041) — a exfiltration primitive. Assumed environment: Node + Mongo (or PHP + Mongo) login route accepts JSON body and embeds it in find/findOne unsanitised.

What is the final impact of this kill-chain?

The final step lands on Inject $ne / $gt operator (W-NOSQLI), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

NoSQL injection → auth bypass → admin

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Exfiltration

Exfil sensitive collections

T1041 · Exfiltration Over C2 Channel

Initial Access

Authenticate as admin

T1078 · Valid Accounts

Reconnaissance

Find JSON login endpoint

W-RECON-API-DISCO · API Endpoint Discovery

Collection

Enumerate users via $regex blind

W-NOSQLI · NoSQL Injection (MongoDB)

Collection

Inject $ne / $gt operator

W-NOSQLI · NoSQL Injection (MongoDB)

{"username":"admin","password":{"$ne":null}}

§ Context

Assumed environment: Node + Mongo (or PHP + Mongo) login route accepts JSON body and embeds it in find/findOne unsanitised. No bcrypt-then-compare-string pattern.

§ Steps

01
Exfil sensitive collectionsExfiltration
T1041— Exfiltration Over C2 Channel
02
Authenticate as adminInitial Access
T1078— Valid Accounts
03
Find JSON login endpointReconnaissance
W-RECON-API-DISCO— API Endpoint Discovery
04
Enumerate users via $regex blindCollection
W-NOSQLI— NoSQL Injection (MongoDB)
05
Inject $ne / $gt operatorCollection
W-NOSQLI— NoSQL Injection (MongoDB)
{"username":"admin","password":{"$ne":null}}

§ References

T1041Exfiltration Over C2 Channel
T1078Valid Accounts

§ Frequently asked

What is the "NoSQL injection → auth bypass → admin" attack path?: Login endpoint passes user-supplied JSON into a MongoDB query. Send {"$ne": null} to bypass the password check. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Exfil sensitive collections (T1041) — a exfiltration primitive. Assumed environment: Node + Mongo (or PHP + Mongo) login route accepts JSON body and embeds it in find/findOne unsanitised.
What is the final impact of this kill-chain?: The final step lands on Inject $ne / $gt operator (W-NOSQLI), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

NoSQL injection → auth bypass → admin

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Vesting beneficiary replace → silently drain stream

Apple Pay Express Transit relay → high-value contactless fraud

Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

ERC-4626 first-depositor inflation → drain new deposits

Insider admin panel coercion → mass account takeover (Twitter 2020)

SAML signature wrapping (XSW) → impersonate admin