Preparing access
Checking your lab membership…
Payments User Search (NoSQL Injection)
javascript A payments microservice exposes a user search endpoint that trusts a JSON filter from the query string, enabling NoSQL injection.
medium220 ptsfreejavascript
Overview
The Payments service exposes user search for support agents. There are two styles:
- Simple search endpoint at
GET /users/search?email=...(safe, server-built query) - Advanced search endpoint at
GET /users?filter=...(JSON string passed to DB)
Abuse reports show attackers enumerate privileged users by injecting MongoDB operators (e.g., { "role": { "$ne": "user" } }).
Your task: review the advanced search path and identify the exact vulnerable line that allows NoSQL injection. Consider safer alternatives.
Relevant files:
src/server.js(advanced search, vulnerable)src/routes/users.js(simple search)src/db.js(DB adapter)src/utils/sanitize.js(example of how to strip operators)
src/db.jsjavascript14px