Burp Suite extension for detection and exploitation of variants of the NoSQL Injection vulnerability. Made for the free version of Burp Suite. Uses Montoya API.
This is a proof of concept solution. Tested only with labs from PortSwigger Web Security Academy.
Compile the project to a JAR file.
Follow the official Burp Suite instructions for installing extensions from https://portswigger.net/burp/documentation/desktop/extensions/installing-extensions#installing-an-extension-from-a-file
To perform the FUZZ_STRING test:
- Select the part of the request that should be replaced with the payload.
- In the context menu (available in "Target", "Proxy", "Repeater", or "Logger"), select "Perform test: FUZZ_STRING".
- The scan will automatically start, and sent requests can be observed in the "NNN Logger".
- The test first sends the full payload and then sends each character separately to identify which specific characters might cause server errors.
- This test works with both GET and POST requests.
After the scan, all responses will be analyzed, and suspicious ones will be listed in the "NNN Scan Information" tab within the "NNN Logger".
To perform the BOOLEAN test:
- Select the part of the request to be replaced with the payload.
- In the context menu, choose "Perform test: BOOLEAN".
- The scan starts automatically, and requests can be tracked in the "NNN Logger".
- This test sends payloads with logic operators.
- It works with both GET and POST requests.
After the scan, suspicious responses will be listed in the "NNN Scan Information" tab.
To perform the AUTHENTICATION_BYPASS_USERNAME test:
- Select the username field (including quotes) in the request.
- In the context menu, choose "Perform test: AUTHENTICATION_BYPASS_USERNAME".
- The scan starts automatically, and requests can be observed in the "NNN Logger".
- The test verifies parameters storing usernames.
- This test works with both GET and POST requests.
After the scan, suspicious responses will be listed in "NNN Scan Information".
To perform the AUTHENTICATION_BYPASS_PASSWORD test:
- Select the password field (including quotes) in the request.
- In the context menu, choose "Perform test: AUTHENTICATION_BYPASS_PASSWORD".
- The scan starts automatically, and requests can be observed in the "NNN Logger".
- The test verifies parameters storing passwords.
After the scan, suspicious responses will be listed in "NNN Scan Information".
To perform the AUTHENTICATION_TEST for both username and password:
- Select the username field and use "[AUTHENTICATION TEST] Select username field".
- Select the password field and use "[AUTHENTICATION TEST] Select password field".
- Once both are selected, the scan starts automatically.
- This test attempts to bypass authentication using payloads from previous tests.
- It works with POST requests.
After the scan, suspicious responses will be listed in "NNN Scan Information".
To perform FIELD_NAME_EXTRACTION:
- Select the part of the request where the payload should be added.
- In the context menu, choose "Perform extraction of field names".
- The scan starts automatically, and requests can be observed in the "NNN Logger".
- The test attempts to extract field names from responses.
- It works with POST requests.
After the scan, extracted field names will be listed in "NNN Scan Information".
To perform DATA_EXTRACTION:
- Select the part of the request where the payload should be added.
- In the context menu, choose "Perform extraction of data".
- The scan starts automatically, and requests can be observed in the "NNN Logger".
- This test attempts to extract data based on known field names.
- It works with GET and POST requests.
After the scan, extracted data will be listed in "NNN Scan Information".
