I am trying to create vulnerability noSql injection with flask and mongo db. i'm tryin to create route for my app with query params and get stuck with array params. here is my code:
@app.route("/get_test", methods=["GET"])
def test():
name = request.args.get("name")
and the route looks like this: http://localhost:3214/get_test?name["$ne"]=test while i excpected to get name = {'name':{"$ne":'test'}} actually i get name = None because the key now is "name['$ne']" can I build noSql injection like this on flask or it's only nodeJs and Php stuff?
i have try to use mongo-query-manager library, and it didn't help. also try: args = list(request.args.to_dict()) and didn't help
What you are trying to do is not possible in flask, by not possible i mean what you are sending in string parameter is not readable by flask. if you want to read
name = {'name':{"$ne":'test'}}then send the dict as parameter and dojson.loads(request.args.get("name"))to convert the string dict to python dict.