Portswigger - NoSQL injection - Lab #1 Detecting NoSQL injection
Hello Hackers, in this video of Detecting NoSQL injection you will see how to exploit and discover NoSQL injection vulnerabilities in a lab from Web Security Academy powered by Portswigger ⚠️ Subscribe to my channel ➡️ @popo_hack ⚠️ 0:00 - About the Lab 0:42 - Exploit NoSQL injection input 5:18 - Bypass the filter using Boolean condition 🔍 About the Lab Lab: Detecting NoSQL injection Level: Apprentice This lab has a product category filter for this lab is powered by a MongoDB NoSQL database. It is vulnerable to NoSQL injection. To solve the lab, perform a NoSQL injection attack that causes the application to display unreleased products. ✅ What to do ? 1. In Burp's browser, access the lab and click on a product category filter. 2. In Burp, go to Proxy, then HTTP history. Right-click the category filter request and select Send to Repeater. 3. In Repeater, submit a ' character in the category parameter. Notice that this causes a JavaScript syntax error. This may indicate that the user input was not filtered or sanitized correctly. 4. Submit a valid JavaScript payload in the value of the category query parameter. You could use the following payload: Gifts'+' Make sure to URL-encode the payload by highlighting it and using the Ctrl-U hotkey. Notice that it doesn't cause a syntax error. This indicates that a form of server-side injection may be occurring. 5. Identify whether you can inject boolean conditions to change the response: 5.1. Insert a false condition in the category parameter. For example: Gifts' && 0 && 'x Make sure to URL-encode the payload. Notice that no products are retrieved. 5.2. Insert a true condition in the category parameter. For example: Gifts' && 1 && 'x Make sure to URL-encode the payload. Notice that products in the Gifts category are retrieved. 6. Submit a boolean condition that always evaluates to true in the category parameter. For example: Gifts'||1||' 7. Right-click the response and select Show response in browser.) 8. Copy the URL and load it in Burp's browser. Verify that the response now contains unreleased products. The lab is solved. Thank you for watching my video, if you have any questions or any topics recommendation feel free to write them on the comment below 🙋 #WebSecurityAcademy #portswigger #nosql #vulnerability
Portswigger - NoSQL injection - Lab #2 Exploiting NoSQL operator injection to bypass authentication
Portswigger - NoSQL injection - Lab #3 Exploiting NoSQL injection to extract data
Passkeys Explained: Are They Actually Better Than Passwords?
Ex-Google Recruiter Explains Why "Lying" Gets You Hired
Testing WebSockets in Burp Suite
The contestant knows the right answer IMMEDIATELY! 🤯🚀💶 | Who Wants to Be a Millionaire?
Portswigger - NoSQL injection - Lab #4 Exploiting NoSQL operator injection to extract unknown field
PortSwigger - HTTP Host Header Attacks - Lab #1 Basic password reset poisoning
Young Men in Expensive Cars
Is This DIY EMP Device Actually Dangerous?
NVIDIA Monopoly is DEAD | OPEN-SOURCE Chips Are HERE!
Irak – Norwegen Highlights | Gruppe I, FIFA WM 2026 | sportstudio
The Match That Made Brazilians Hate Germany
Ich habe SIE konfrontiert...💀😳
17-jährige Holländerin wird BELÄCHELT.. dann SINGT sie PHANTOM DER OPER! 😮
The Entire History of Hamburg in 19 Minutes (A.I. Reconstruction)
7 Authentication Concepts Every Developer Should Know
Frankreich – Senegal Highlights | Gruppe I, FIFA WM 2026 | sportstudio
Portswigger - Information Disclosure - Lab #5 Information disclosure in version control history
