NoSQL-Injection/Resume.md at main · akrambel2115/NoSQL-Injection

What was implemented

This project now demonstrates both read and write NoSQL injection in two modes:

Main additions made:

Added profile fields to user records (age, phoneNumber, bio, department) and updated seeding for all users.
Added profile retrieval endpoints in both modes using URL query parameters.
Added profile update endpoints in both modes (POST/PUT) to demonstrate write injection.
Updated the website search page with a profile editor (view + update) and raw JSON payload testing.
Kept URL-bar testing support for profile query injection.

Vulnerable endpoint takes query params directly and passes them to Mongo filters.
Example attack style: email[$ne]=wassim@cns.ensia.
Result: attackers can query unintended records.

Secure endpoint behavior:

Vulnerable update endpoint builds selector from request body and applies updates with weak checks.
This enables:
- Operator injection in selectors ($eq, $ne, etc.).
- Property injection in updates (for example changing role).

Secure update endpoint behavior:

Use raw JSON update payload:

{
	"email": { "$eq": "wassim@cns.ensia" },
	"role": "admin",
	"bio": "Injected write demo"
}

Expected in vuln: update can escalate privileges. Expected in secure: request is rejected.

Always run npm run seed before demos to reset the lab state.
Keep one terminal running npm run dev during all tests.
Test the same payload in both vuln and secure modes to clearly show the difference.
For screenshots/reporting, capture: login result, payload used, server response, and final profile state.
After any write-injection test, reseed to avoid carrying modified roles into the next test.