Herbalist Remedies
Herbalist Remedies — an herbal-blend catalog — trusts its login form to compare MongoDB query objects. Slip an operator in and see who else is home.
The Scenario
Herbalist Remedies has been quietly selling single-origin tinctures and small-batch teas online since 2014, run out of a converted dairy barn in western Massachusetts by a husband-and-wife team and one part-time fulfillment helper. Two-ounce bottles are $24, the gift box is $72, and the storefront has been on the same codebase since launch — the founder's brother wrote it over a long winter and hasn't been asked to touch it since.
Challenge Intel
Synopsis
An entry-level NoSQL injection lab against a login form that compares structured query objects.
What It Is
Herbalist Remedies runs on a legacy codebase where authentication was written before NoSQL injection entered the mainstream vocabulary. The login handler trusts whatever shape the credentials arrive in, which is the textbook recipe for operator-based auth bypass. A gentle on-ramp for anyone moving from relational SQLi into the document-database world.
Who It's For
Newcomers to NoSQL injection who want a clear, approachable first win.
Skills You'll Practice
- Authentication bypass against document databases
- Recognising object-comparison login flaws
- NoSQL injection fundamentals
- Intercepting and reshaping login traffic
- Spotting unsafe credential-handling patterns
What You'll Gain
- A clean first experience with NoSQL-style auth bypass
- Understanding of why shape-trusting comparisons are dangerous
- Transferable instincts for auditing login endpoints
- A foundation for tackling harder document-database labs
Ready to hack Herbalist Remedies?
This challenge is free. Sign up and start hacking.