NoSQL Injection - Operator Injection

Easy A03:2021 - Injection 150 points

Challenge Description

This login form uses a NoSQL database (similar to MongoDB) and is vulnerable to operator injection. Your goal is to bypass the authentication and log in as the admin user without knowing the password.

NoSQL databases often accept JSON query objects with special operators like $ne (not equal), $gt (greater than), and $regex. If user input is not properly validated, attackers can inject these operators.

Learning Objective: Understand how NoSQL injection differs from SQL injection and how query operators can be exploited to bypass authentication.

Vulnerable NoSQL Login MongoDB-style

Username Try a plain username or a JSON object like {"$ne": ""}

Password The API accepts JSON query operators

Submit Flag

Hints -10% per hint

Debug Options

Show executed query

MongoDB Operators Reference

Operator	Description
`$ne`	Not equal
`$gt`	Greater than
`$regex`	Regex match
`$exists`	Field exists