Server-Side JavaScript Injection

Server-Side JavaScript Injection (SSJI) is a unique type of NoSQL injection where an attacker can execute arbitrary JavaScript in the database context using the $where operator.

Theory

MongoDB's $where operator allows JavaScript expressions to be evaluated as query conditions. When user input is unsanitized, this can lead to JavaScript injection.

Vulnerable Code Example

db.users.find({
    $where: 'this.username === "' + req.body['username'] + '" && this.password === "' + req.body['password'] + '"'
});

Authentication Bypass

Basic Bypass Payload

Use JavaScript logical operators to always return true:

// Payload: " || true || ""=="
db.users.find({
    $where: 'this.username === "" || true || ""=="" && this.password === "<password>"'
});

URL-Encoded Payload

Blind Data Extraction

Character-by-Character Extraction

Use JavaScript match() function with regex patterns:

Test first character:

Continue extraction:

Complete Extraction Process

  1. Verify injection works:

  2. Extract first character:

  3. Continue for each position:

Advanced JavaScript Payloads

Multiple Field Extraction

Conditional Logic

Function Calls

Automation Script

Common JavaScript Operators

Logical Operators

  • || (OR) - Always true if one side is true

  • && (AND) - Both sides must be true

  • ! (NOT) - Negation

Comparison Operators

  • === (Strict equality)

  • !== (Strict inequality)

  • == (Loose equality)

  • != (Loose inequality)

String Methods

  • match() - Regex matching

  • indexOf() - Find substring position

  • startsWith() - Check prefix

  • endsWith() - Check suffix

  • length - String length

Detection Methods

Error-Based Detection

Time-Based Detection

Boolean-Based Detection

Prevention

Input Validation

Alternative Queries

Parameterized Queries

Key Points

  • Unique to NoSQL: JavaScript injection is specific to MongoDB's $where operator

  • Flexible payloads: Can use any valid JavaScript expressions

  • Multiple attack vectors: Authentication bypass, data extraction, information disclosure

  • Automation friendly: Easy to script character-by-character extraction

  • Detection methods: Error-based, time-based, boolean-based

Common Vulnerable Patterns

  • User input directly concatenated into $where expressions

  • Lack of input validation on JavaScript operators

  • Using $where when standard operators would suffice

  • Missing output encoding in error messages

PreviousAutomating Blind ExtractionNextAttacking Authentication Mechanisms

Last updated