PantsirПанцирь
Preparing access
Checking your lab membership...
Created 30 Aug 2025Updated 13 Feb 2026
Payments User Search (NoSQL Injection)
A payments support API accepts raw JSON filter objects from users and passes them directly into query evaluation, enabling NoSQL injection.
javascript220 pts25 min

Story

The payments operations team asked engineering for a flexible support search endpoint so agents can quickly find accounts by different fields.

To ship fast, an "advanced filter" parameter was added that accepts raw JSON. Soon after, suspicious queries started returning admin and analyst accounts that should not have been exposed to regular support users.

System Context

The runnable Node.js project provides:

  • GET /users/search?email=... server-built query (safer)
  • GET /users?filter=... client-defined JSON filter (vulnerable)
  • GET /users/lookup?filter=... constrained comparison path

Problem

The advanced search path accepts arbitrary JSON and treats it as executable query criteria, so caller-supplied operator objects can modify predicate behavior at runtime. This allows users to widen result sets beyond intended support constraints and enumerate accounts they should not see. As a result, a convenience filtering feature can bypass business-level access assumptions.

Goal

Find the exact vulnerable line in the project code.

Content locked
Join this lab to access the content.
.gitignoreplaintext