About This Tool

Primary Use Case

Key Features

• Supports NoSQL injection detection specifically for MongoDB
• Performs error-based injection by injecting payloads and analyzing MongoDB error responses
• Executes boolean blind injection tests using true/false payloads
• Conducts timing-based injection tests to detect delays caused by injected payloads
• Fully command line based with a simple and configurable interface
• Supports loading HTTP requests from files (e.g., Burp or ZAP exports)
• Proxy support for routing requests through a specified proxy
• Includes a test suite with unit tests and injection coverage

Insights & Recommendations

Ensure the target URL includes all testable parameters for accurate scanning. Use with permission on authorized targets only. Proxy support allows integration with interception tools. Building from source requires a recent Go environment. Future updates may include data extraction features.

Installation

Download the latest binary for your OS from the releases page
Place the binary in your system PATH or run it from a local folder
Alternatively, clone the repository: git clone https://github.com/Charlie-belmer/nosqli
Navigate into the cloned directory: cd nosqli
Install dependencies: go get -u -d ./...
Build and install the tool: go install
Run nosqli with -h to verify installation and view help

Usage

Smart Usage Notes

• Integrate nosqli scans into CI/CD pipelines to automate early detection of NoSQL injection vulnerabilities.
• Combine nosqli with web application firewalls (WAF) tuning to improve detection and prevention of injection attacks.
• Use nosqli in red team exercises to simulate realistic NoSQL injection attack vectors and improve blue team detection capabilities.
• Extend nosqli with data extraction features to support advanced penetration testing scenarios.
• Leverage proxy support to route scans through monitoring tools for enhanced visibility and logging during assessments.

Security Capability Profile