Feat: Add NoSQL Injection Vulnerability Level 1

[subhamkumarr]

Description

This PR implements NoSQL Injection Vulnerability Level 1, addressing issue #497.

Changes

• Dependencies: Added spring-boot-starter-data-mongodb and de.flapdoodle.embed.mongo to build.gradle for embedded MongoDB support.
• Vulnerability Type: Added NOSQL_INJECTION to VulnerabilityType.java.
• Backend: Created NoSQLInjectionVulnerability.java.
  • Initializes an embedded MongoDB with dummy users (admin, user1, guest).
  • Implements getVulnerablePayloadLevel1 which constructs a BasicQuery using string concatenation, allowing NoSQL injection.
• Frontend: Created NoSQLInjection_Level1.html and js to allow users to interact with the vulnerability.

How to Verify

1. Navigate to NoSQL Injection -> Level 1.
2. Input guest and click Search. You should see the user details.
3. Exploit: Input guest" || "1"=="1 or similar payload (depending on the query logic) to break out of the query.
   • Note: Since this uses BasicQuery with string concatenation passed to mongoTemplate.find(), it simulates a JSON injection or $where clause injection depending on context. The logic explicitly constructs { "username": "<input>" }.
   • Payload: admin", "password": { "$ne": "1" }.
   • Resulting Query: { "username": "admin", "password": { "$ne": "1" } }.
   • This should return the admin user, demonstrating the injection.

Dependencies

• Embedded MongoDB is used, so no external database setup is required.

[preetkaran20]

@subhamkumarr please run ./gradlew spotlessApply and submit PR again.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 69.76744% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.48%. Comparing base (3dd7ba8) to head (d480133).
⚠️ Report is 39 commits behind head on master.

Files with missing lines	Patch %	Lines
...labs/configuration/VulnerableAppConfiguration.java	0.00%	7 Missing ⚠️
...lnerability/nosql/NoSQLInjectionVulnerability.java	80.00%	4 Missing and 1 partial ⚠️
...rg/sasanlabs/service/vulnerability/nosql/User.java	85.71%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #502      +/-   ##
============================================
+ Coverage     49.33%   49.48%   +0.15%     
- Complexity      346      355       +9     
============================================
  Files            56       59       +3     
  Lines          2090     2144      +54     
  Branches        225      228       +3     
============================================
+ Hits           1031     1061      +30     
- Misses          978     1001      +23     
- Partials         81       82       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[preetkaran20]

@subhamkumarr can you please review sample vulnerability related classes and files?

[preetkaran20]

possible to add more levels including secure level?

[preetkaran20]

Run it as @Bean instead

[preetkaran20]

you can look at configuration file which has other beans like H2 database, https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/configuration/VulnerableAppConfiguration.java

[preetkaran20]

Remove sample vulnerability related classes.

[preetkaran20]

please remove this

[preetkaran20]

@subhamkumarr are you working on this?