NoSQL doesn't mean no injection. MongoDB's $ne, $gt, $regex operators are injection primitives and most scanners miss them entirely. Auth bypass in one JSON body. Blind extraction via $regex one char at a time. $where for timing attacks when server-side JS is enabled. CouchDB Admin Party for legacy targets. https://www.kayssel.com/newsletter/issue-42/ #infosec #cybersecurity
R