Herbalist Remedies
Herbalist Remedies — an herbal-blend catalog — trusts its login form to compare MongoDB query objects. Slip an operator in and see who else is home.
The Scenario
Herbalist Remedies has been quietly selling single-origin tinctures online for a decade. The login form was written long before anyone on the team had heard the phrase "NoSQL injection." The admin account still uses a password nobody remembers — not that it matters.
Challenge Intel
Synopsis
An entry-level NoSQL injection lab against a login form that compares structured query objects.
What It Is
Herbalist Remedies runs on a legacy codebase where authentication was written before NoSQL injection entered the mainstream vocabulary. The login handler trusts whatever shape the credentials arrive in, which is the textbook recipe for operator-based auth bypass. A gentle on-ramp for anyone moving from relational SQLi into the document-database world.
Who It's For
Newcomers to NoSQL injection who want a clear, approachable first win.
Skills You'll Practice
- Authentication bypass against document databases
- Recognising object-comparison login flaws
- NoSQL injection fundamentals
- Intercepting and reshaping login traffic
- Spotting unsafe credential-handling patterns
What You'll Gain
- A clean first experience with NoSQL-style auth bypass
- Understanding of why shape-trusting comparisons are dangerous
- Transferable instincts for auditing login endpoints
- A foundation for tackling harder document-database labs
Ready to hack Herbalist Remedies?
This challenge is free. Sign up and start hacking.