Lumenex
Lumenex exposes a product search API that merges your JSON filter body directly into the database query. The base filter hides more than one field. Find them both.
The Scenario
Lumenex supplies commercial LED fixtures to contractors and facilities managers across the southeast. The B2B portal was rebuilt in 2022 during a push to replace the old REST API with a "flexible JSON filter" endpoint that let the frontend team iterate faster. The backend PR that shipped it had a two-line comment about coming back to validate the filter shape. That was eighteen months ago.
Challenge Intel
Synopsis
Multi-field filter override via JSON body merge — two server-side constraints must both be bypassed.
What It Is
The product search endpoint merges the request body directly into a MongoDB-style query. The server sets two default filters before the merge. Overriding only one still returns nothing useful — both must be defeated simultaneously.
Who It's For
Players comfortable with single-field body-merge injection who want to practice reasoning about compound filter structures.
Skills You'll Practice
- Identifying and overriding multiple server-side query constraints
- MongoDB operator selection ($exists, $in, $ne) for filter bypass
- Schema inference from API response shapes
- Compound document query construction
What You'll Gain
- Understanding that base filters can have multiple independent constraints
- Practice selecting the right operator for each field type
- Experience with systematic filter enumeration