Skip to content

feat: add NoSQL injection skill#404

Merged
0xallam merged 4 commits into
usestrix:mainfrom
sandiyochristan:feat/nosql-injection-skill
May 3, 2026
Merged

feat: add NoSQL injection skill#404
0xallam merged 4 commits into
usestrix:mainfrom
sandiyochristan:feat/nosql-injection-skill

Conversation

@sandiyochristan

Copy link
Copy Markdown
Contributor

Summary

The existing sql_injection skill covers relational databases (MySQL, PostgreSQL, MSSQL, Oracle). NoSQL stores have fundamentally different injection models — operator injection, structure injection, RESP protocol injection, and Lucene query injection — requiring separate guidance. MongoDB alone powers a significant portion of modern web backends, and its $ne/$gt/$regex operator injection bypassing authentication is one of the most consistently findable vulnerabilities in Node.js stacks.

This PR adds strix/skills/vulnerabilities/nosql_injection.md.

What's Added

New file: strix/skills/vulnerabilities/nosql_injection.md

MongoDB coverage:

  • Operator injection ($ne, $gt, $regex, $in) for authentication bypass — both JSON body and bracket-notation form fields
  • Character-by-character blind extraction via $regex with binary search methodology
  • $where JavaScript injection with sleep()-based timing oracle (MongoDB < 4.4)
  • Aggregation pipeline injection into $match / $lookup stages
  • Mongoose {strict: false} and ODM wrapper identification

Additional NoSQL stores:

  • Redis: RESP protocol injection via \r\n command smuggling
  • Elasticsearch: Lucene query_string injection, Painless script injection via _update
  • DynamoDB: PartiQL filter expression injection
  • CouchDB: Mango query selector injection

Detection:

  • Error fingerprinting (MongoError, CastError, ValidationError)
  • Content-type and bracket-notation routing (Express body-parser behavior)
  • Operator probe patterns for all three input formats

Test Plan

  • Send {"username": {"$ne": null}, "password": {"$ne": null}} to a login endpoint — confirm bypass
  • Send bracket notation username[$ne]=invalid&password[$ne]=invalid in form body — confirm same bypass
  • Use $regex blind extraction to retrieve first character of a password hash or reset token
  • Confirm $where timing differential on a MongoDB < 4.4 target
  • Test Elasticsearch query_string with role:admin against a user search endpoint
  • Run make check-all
@greptile-apps

greptile-apps Bot commented Mar 28, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR migrates the NoSQL injection guidance from strix/prompts/vulnerabilities/nosql_injection.jinja (Jinja template format) to strix/skills/vulnerabilities/nosql_injection.md (Markdown skills format), matching the pattern used by every other vulnerability skill in the repo. The new file correctly addresses several issues from prior review rounds (correct $where version boundary at 7.0, explicit timing-oracle clarification on sleep()) and adds Neo4j Cypher injection coverage — but the CouchDB section promised in both the PR description ("CouchDB: Mango query selector injection") and the intro scope claim is entirely absent, leaving an agent told CouchDB has a distinct injection surface with no actionable guidance for it.

Confidence Score: 3/5

Hold for CouchDB section — the skill claims coverage it doesn't deliver, which will mislead agents testing CouchDB-backed targets

One P1 finding: CouchDB is declared in-scope in both the intro and the PR description deliverables list, but no CouchDB section exists in the file. This creates a false sense of coverage — the same defect flagged for Cassandra in the prior review round. Score sits at 3/5 (below the P1 ceiling of 4) because the gap directly contradicts stated deliverables.

strix/skills/vulnerabilities/nosql_injection.md — missing CouchDB section

Important Files Changed

Filename Overview
strix/skills/vulnerabilities/nosql_injection.md New skill file replacing the deleted Jinja prompt; comprehensive MongoDB/Redis/Elasticsearch/DynamoDB/Cassandra/Neo4j coverage but missing the CouchDB section promised in the PR description and intro scope claim
strix/prompts/vulnerabilities/nosql_injection.jinja Deleted as part of intentional migration from prompts/ Jinja format to skills/ Markdown format; all other vulnerability skills already use this format
Prompt To Fix All With AI
Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
strix/skills/vulnerabilities/nosql_injection.md:8
**CouchDB listed in scope and PR description but never covered**

The introduction explicitly claims "CouchDB...each have distinct injection surfaces," and the PR description lists "CouchDB: Mango query selector injection" as a delivered item. However, CouchDB appears nowhere else in the file — no Attack Surface entry, no Key Vulnerabilities section, no testing steps. An agent loading this skill is told CouchDB has a distinct injection model but is given zero guidance on Mango query selector injection (`$eq`, `$ne`, `$gt`, `$regex` operators against `_find`), `_all_docs` manipulation, or `_design` view JavaScript injection. This is the same gap the previous review flagged for Cassandra in the old file, now recurring for CouchDB in the new file.

### Issue 2 of 2
strix/skills/vulnerabilities/nosql_injection.md:3
The frontmatter `description` lists Redis, DynamoDB, Elasticsearch, and Neo4j but omits Cassandra and CouchDB — both of which are present in the body. Skill routing and search tooling that indexes this field will not surface the skill for Cassandra or CouchDB queries.

```suggestion
description: NoSQL injection testing covering MongoDB operator injection, authentication bypass, blind extraction, GraphQL variable injection, and Redis/Elasticsearch/DynamoDB/Cassandra/CouchDB/Neo4j-specific attack surfaces
```

Reviews (3): Last reviewed commit: "expand nosql_injection skill, remove leg..." | Re-trigger Greptile

Comment thread strix/skills/vulnerabilities/nosql_injection.md Outdated
Comment thread strix/skills/vulnerabilities/nosql_injection.md Outdated
Comment thread strix/skills/vulnerabilities/nosql_injection.md Outdated
Ahmex000 added a commit to Ahmex000/strix that referenced this pull request Mar 28, 2026
Replace minimal nosql_injection.md with comprehensive version from usestrix#404 covering MongoDB operator injection, Redis/Elasticsearch/DynamoDB attack surfaces, blind extraction, bypass techniques, and validation methodology.
@0xallam

0xallam commented May 3, 2026

Copy link
Copy Markdown
Member
Comment thread strix/skills/vulnerabilities/nosql_injection.md
Comment thread strix/skills/vulnerabilities/nosql_injection.md Outdated
sandiyochristan and others added 3 commits May 3, 2026 15:15
Add a new vulnerability skill covering NoSQL injection across MongoDB,
Redis, Elasticsearch, DynamoDB, and CouchDB. The existing SQL injection
skill covers relational databases only; NoSQL stores have fundamentally
different injection models (operator injection, operator embedding, RESP
protocol injection, Lucene query injection) that require separate guidance.

Coverage:
- MongoDB operator injection ($ne, $gt, $regex, $where, $expr) for
  authentication bypass and blind data extraction
- Character-by-character $regex blind extraction of tokens and secrets
- $where JavaScript injection with sleep-based timing oracle
- Aggregation pipeline injection ($match, $lookup stage widening)
- Redis RESP protocol injection via newline-delimited command smuggling
- Elasticsearch query_string Lucene injection and Painless script injection
- DynamoDB PartiQL filter expression injection
- Bracket-notation form-body operator delivery (Express body-parser)
- Bypass techniques: type coercion, encoding, operator alternatives

Includes full detection flow, validation steps, and false-positive
conditions (Mongoose strict mode, string casting middleware).
…sandra CQL injection

Three reviewer findings addressed:

P1 — $where version boundary: corrected from 'disabled by default in
MongoDB 4.4+' to 'disabled by default in MongoDB 7.0+'. MongoDB 4.4
deprecated server-side JavaScript but left javascriptEnabled defaulting
to true; the feature was not disabled by default until 7.0. The section
now explicitly notes that 4.4-6.x targets are still exploitable unless
explicitly hardened.

P1 — Pro Tip usestrix#3: updated to match the corrected version boundary.
Previous text 'available and dangerous on pre-4.4' contradicted the
main section and would cause testers to skip $where on 4.4-6.x. Now
states 'active by default on pre-7.0 instances, including 4.4-6.x'.

P1 — Cassandra coverage gap: the introduction claimed Cassandra as a
covered attack surface but the skill body had no Cassandra content.
Added Cassandra to the Attack Surface section (CQL injection, ALLOW
FILTERING predicates, UDF injection) and added a Cassandra CQL
Injection subsection in Key Vulnerabilities covering string
concatenation injection, authentication bypass, and boolean extraction.
- Add Neo4j Cypher / APOC, GraphQL variable injection, MongoDB $function,
  SSJS detection, DoS surface, $not / structure-manipulation bypasses,
  and PyMongo/Morphia ODM patterns ported from the legacy .jinja prompt.
- Annotate $where payloads to distinguish timing-oracle from direct-filter
  variants; wrap $function example in its required $expr context.
- Tighten Attack Surface to high-level surfaces and code patterns instead
  of duplicating the per-DB content in Key Vulnerabilities; drop Pro Tips
  that restated body content.
- Remove strix/prompts/vulnerabilities/nosql_injection.jinja — superseded
  by this skill, and not referenced anywhere else in the codebase.
@0xallam 0xallam force-pushed the feat/nosql-injection-skill branch from 73a78dc to 0c17c5a Compare May 3, 2026 22:30
@0xallam

0xallam commented May 3, 2026

Copy link
Copy Markdown
Member
Comment thread strix/skills/vulnerabilities/nosql_injection.md
CouchDB was named in the intro and stores-in-scope but had no Key
Vulnerabilities entry. Add Mango selector operator payloads against
_find, _design view JavaScript injection, and _all_docs / admin-party
checks. Also surface CouchDB in the testing methodology step for
non-MongoDB stores.
@0xallam 0xallam merged commit 6da7315 into usestrix:main May 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants