Papaya is a tool to test if a MongoDB/NoSQL-based web application is vulnerable to a basic nosql injection on POST login forms, including tests for password and username extraction.

The attack works by injecting nosql's $regex and $eq operators on passwords and usernames.

python3 papaya.py TARGET_URL

• test for vulnerability
• if application is vulnerable, search for a string that is unique in the positive response and set it as the identifier
• choose an attack

pip install -r requirements.txt