Hacking OWASP’s Juice Shop Pt. 49: NoSQL Manipulation


Name: NoSQL Manipulation

Description: Update multiple product reviews at the same time.

Difficulty: 4 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

MongoDB Query Operator Documentation

Solution Guide


With my complete lack of prior exposure to NoSQL databases, this challenge was a fun learning experience. The first thing I did, as usual, was read the expanded description and the supplied link to MongoDB’s query operator documentation. I also read up on NoSQL queries on Stack Overflow.

This research was, unfortunately, insufficient. After an extended period of poking and prodding the database using Burp Suite’s Repeater tool, I gave in and read the solution (I’m here to learn, not demonstrate mastery). Seeing how the actual query was formed, the reading I had done started to make better sense. Using the “not equals” operator on the Product ID field with an invalid ID number ensured that all table entries would be updated with Bender’s Banana Juice review.

Para ms Headers 
"SON web Tokens 
Raw Actions 
I PATCH / rest/ products/ reviews 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
4 Accept 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
Gecko,'20100101 Firefox,'78.o 
Authorization: Bearer eyJoeXA101JKVIQiLCJhbGcioiJsuz11NiJ9. eyJzdGFodXMioiJzdRNj ZXNz1iwiZGFOYS16eyJpZC16Mywidx 
Content -Type: application/ j son 
Content -Length: 12 
Origin: http://localhost : 3000 
Il Connection: close 
Referer: http://localhost : 3000/ 
IS Cookie: language=en; welcomebanner status=dismiss; 
continueCode=aIhot LIRsIiQlJVH 
"This may be the end of the banana daiquiri as we know it!' 
" "bender@j uice-sh.op"l 
You successfully solved a challenge: NOSQL Manipulation (Update multiple product reviews at the same time.) X

Prevention and Mitigation Strategies:

OWASP Injection Prevention Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

I need to spend more time with NoSQL databases, because the syntax used here was completely foreign to me. I’ll probably wind up taking a Udemy course, as one of the silver linings of unemployment is an abundance of free time to learn new things.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s