feat: Add NoSQL injection vulnerability guide

[timlzh]

Adds a detailed NoSQL injection detection guide following the existing template structure.

Changes

✅ Added nosql_injection.jinja - NoSQL Operator injection, JavaScript execution, ODM exploitation, blind extraction techniques

Testing

Guide follows the established format and includes:

• Critical context and scope
• Methodology
• Injection surfaces
• Database-specific primitives (MongoDB, CouchDB, Redis, Cassandra, Neo4j)
• Authentication bypass techniques
• Data extraction methods
• WAF/filter bypasses
• Validation criteria
• Pro tips

Examples

MongoDB Operator Injection

Authentication bypass: {"username": {"$ne": ""}, "password": {"$ne": ""}}
Regex extraction: {"password": {"$regex": "^a.*"}} for character-by-character enumeration
Query string notation: ?username=admin&password[$ne]=wrongpass

JavaScript Execution

$where clause: {"$where": "sleep(5000)"} for timing-based detection
$function operator (MongoDB 4.4+): Server-side JS in aggregation pipelines
Object.keys() enumeration for field discovery

Blind Extraction

Binary search via regex ranges: ^[a-m] vs ^[n-z]
Timing oracle: conditional sleep in $where clauses
ReDoS patterns: {"$regex": "^(a+)+$"} for pathological backtracking

WAF Bypasses

URL encoding: %24ne instead of $ne
JSON unicode escapes: \u0024ne
Operator alternatives: $not instead of $ne, $nin for negation

Framework-Specific Issues

Mongoose: find(req.body) without sanitization
PyMongo: Unsanitized dictionaries from JSON input
GraphQL + MongoDB: Operator injection via variables

[bearsyankees]

@greptileai

[greptile-apps]

Greptile Summary

This PR adds nosql_injection.jinja, a 284-line NoSQL injection detection guide that mirrors the structure of the existing sql_injection.jinja and is auto-discovered by the filesystem-based module loader — no registration changes are needed. The technical content is accurate and comprehensive, covering MongoDB operator injection, SSJS execution, ODM pitfalls, WAF bypasses, blind extraction, and database-specific primitives across MongoDB, CouchDB, Redis, Cassandra, and Neo4j.

Confidence Score: 5/5

Safe to merge — new prompt-only file with no runtime logic changes and no registration required.

All findings are P2 (style/documentation suggestions). The file is self-contained, auto-discovered, and has no impact on existing functionality.

No files require special attention.

Important Files Changed

Filename	Overview
strix/prompts/vulnerabilities/nosql_injection.jinja	New NoSQL injection guide (284 lines) following the established vulnerability template structure; covers MongoDB, CouchDB, Redis, Cassandra, Neo4j with operator injection, JS execution, ODM issues, WAF bypasses, and blind extraction techniques.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: strix/prompts/vulnerabilities/nosql_injection.jinja
Line: 92-97

Comment:
**Nested sub-tags in `detection_channels` diverge from sibling guides**

`<detection_channels>` wraps four sub-elements (`<operator_based>`, `<boolean_based>`, `<timing_based>`, `<error_based>`), while every other guide in this directory (e.g. `sql_injection.jinja`) keeps `detection_channels` as a flat bullet list. The inconsistency is harmless at runtime — modules are loaded as raw text — but makes the template harder to maintain and visually scan alongside peers. Consider flattening the section to match the established pattern.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: strix/prompts/vulnerabilities/nosql_injection.jinja
Line: 152-153

Comment:
**`$where` JavaScript is disabled by default in modern MongoDB**

The guide presents `$where` payloads as a primary extraction path without mentioning that server-side JavaScript is **disabled by default since MongoDB 3.6+** (via `--noscripting`). Pro tip #5 does mention checking if SSJS is enabled, but given that the `javascript_injection` and `data_extraction` sections both lean heavily on `$where` first, a brief "requires SSJS to be enabled (off by default in modern deployments)" caveat near the `<where_clause>` section would prevent wasted tester effort on the most common MongoDB configurations.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "feat: Add NoSQL injection vulnerability ..." | Re-trigger Greptile}

[greptile-apps]

Nested sub-tags in detection_channels diverge from sibling guides

<detection_channels> wraps four sub-elements (<operator_based>, <boolean_based>, <timing_based>, <error_based>), while every other guide in this directory (e.g. sql_injection.jinja) keeps detection_channels as a flat bullet list. The inconsistency is harmless at runtime — modules are loaded as raw text — but makes the template harder to maintain and visually scan alongside peers. Consider flattening the section to match the established pattern.

Prompt To Fix With AI

This is a comment left during a code review.
Path: strix/prompts/vulnerabilities/nosql_injection.jinja
Line: 92-97

Comment:
**Nested sub-tags in `detection_channels` diverge from sibling guides**

`<detection_channels>` wraps four sub-elements (`<operator_based>`, `<boolean_based>`, `<timing_based>`, `<error_based>`), while every other guide in this directory (e.g. `sql_injection.jinja`) keeps `detection_channels` as a flat bullet list. The inconsistency is harmless at runtime — modules are loaded as raw text — but makes the template harder to maintain and visually scan alongside peers. Consider flattening the section to match the established pattern.

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

$where JavaScript is disabled by default in modern MongoDB

The guide presents $where payloads as a primary extraction path without mentioning that server-side JavaScript is disabled by default since MongoDB 3.6+ (via --noscripting). Pro tip #5 does mention checking if SSJS is enabled, but given that the javascript_injection and data_extraction sections both lean heavily on $where first, a brief "requires SSJS to be enabled (off by default in modern deployments)" caveat near the <where_clause> section would prevent wasted tester effort on the most common MongoDB configurations.

Prompt To Fix With AI

This is a comment left during a code review.
Path: strix/prompts/vulnerabilities/nosql_injection.jinja
Line: 152-153

Comment:
**`$where` JavaScript is disabled by default in modern MongoDB**

The guide presents `$where` payloads as a primary extraction path without mentioning that server-side JavaScript is **disabled by default since MongoDB 3.6+** (via `--noscripting`). Pro tip #5 does mention checking if SSJS is enabled, but given that the `javascript_injection` and `data_extraction` sections both lean heavily on `$where` first, a brief "requires SSJS to be enabled (off by default in modern deployments)" caveat near the `<where_clause>` section would prevent wasted tester effort on the most common MongoDB configurations.

How can I resolve this? If you propose a fix, please make it concise.

[bearsyankees]

merging, thanks @timlzh!