GlacierCache
GlacierCache's offline-sync pipeline trusts the metadata blob stored in a client-created sync token. The commit step replays that blob straight into a document query — including a collection that isn't the one you thought.
The Scenario
GlacierCache ships a "trusted-token" sync model — the client writes a token describing the sync it wants, the server commits it later. The token's metadata blob is passed verbatim into the query layer. The ops team uses the same collection namespace for their administrative buckets.
Challenge Intel
Synopsis
A hard NoSQL injection lab where a sync pipeline trusts a client-authored metadata blob.
What It Is
GlacierCache's offline-first sync flow carries a token whose embedded metadata is later replayed into the server's query layer. Because the metadata is never normalised, a thoughtfully forged token redirects the commit step toward records you were never meant to touch. This is a realistic take on trust-at-rest flaws in sync protocols built on document databases.
Who It's For
Experienced testers comfortable with NoSQL who want to practice logic-layer injection, not just form-level payloads.
Skills You'll Practice
- Trust-boundary analysis in sync protocols
- NoSQL injection through replayed metadata
- Cross-namespace data discovery
- Token forgery against weakly validated structures
- Reading sync semantics for abuse paths
What You'll Gain
- Experience exploiting bugs that live between client state and server replay
- A framework for auditing sync tokens you see in the wild
- Fluency switching between intended and unintended query targets
- Confidence that NoSQL injection extends well beyond login forms
Ready to hack GlacierCache?
Upgrade to Pro to unlock this challenge and the full library.