NIVA - NoSQL Injection Vulnerable App
A deliberately vulnerable Spring + MongoDB web app for learning, demonstrating, and testing NoSQL injection, built for software engineers, security engineers, pentesters, and trainers.
NoSQL injection is widely misunderstood: many engineers assume “no SQL” means “no injection.” NIVA (NoSQL Injection Vulnerable App) is a simple web application that is intentionally vulnerable, built to “facilitate a better understanding of the NoSQL injection vulnerability among a wide audience of software engineers, security engineers, pentesters, and trainers.”
What it demonstrates
A Spring web app backed by MongoDB via the official Java driver. The vulnerability is a classic one done right: a query built with $where and string concatenation, which lets an attacker manipulate the query to bypass authentication and access controls. It’s a concrete, hands-on target for seeing how NoSQL injection actually works, and how to fix it.
Who it’s for
Software engineers learning secure data access, security engineers and pentesters practicing exploitation, and trainers who need a reliable lab target for a NoSQL injection exercise.
Running it
The fastest path is Docker:
docker pull aabashkin/niva
docker run -p 8080:8080 aabashkin/nivaIt also builds from source with Maven (mvn clean package, then java -jar target/…jar), or you can grab a prebuilt JAR from Releases; see the repository for specifics.
⚠️ This application is intentionally insecure. Run it locally or in an isolated lab only. Never expose it to the public internet or a network you care about.
MIT licensed.