DroneFleet Ops
DroneFleet's callsign search pipes raw user input into a MongoDB-style $regex match. The results panel shows a match count but nothing else about the hidden ops-secrets collection — just enough to leak one bit per request.
The Scenario
DroneFleet's ops console was written by an SRE with no security budget. The callsign-search bar was added to chase a feature request and uses a regex match because "it was simpler." The ops_secrets collection indexes against the same query mechanism.
Challenge Intel
Synopsis
A NoSQL injection lab against a fleet-management console where a search feature leaks match counts.
What It Is
DroneFleet's operational console exposes a lookup built on a document database, where user input flows into a pattern match with almost no guardrails. The UI only surfaces a match count, but that numeric signal is enough to walk through hidden collections if you shape your inputs carefully. A good introduction to count-based oracles against MongoDB-style stores.
Who It's For
Mid-level testers who've done relational SQLi and want equivalent fluency against document databases.
Skills You'll Practice
- NoSQL injection against document stores
- Count-based inference and oracles
- Shaping pattern matches for data extraction
- Cross-collection enumeration strategies
- Reasoning about permissive query merging
What You'll Gain
- Practical experience exploiting NoSQL lookups that reveal only aggregate signals
- A mental model for turning count deltas into character-level leaks
- Comfort navigating Mongo-flavoured query surfaces
- Habits for spotting regex-driven search features during real audits
Ready to hack DroneFleet Ops?
Upgrade to Pro to unlock this challenge and the full library.