SwiftSearch Hotels
SwiftSearch's hotel API accepts a JSON filter body that's merged straight into a MongoDB-style query. Ordinary users filter by city and price; operators slip in just as easily.
The Scenario
SwiftSearch rebuilt their hotel-search API "JSON-first" during their last refactor. The old positional-arg endpoint became a body-merged filter pass-through — readable, flexible, and utterly permissive.
Challenge Intel
Synopsis
A medium NoSQL injection lab where a JSON filter body is merged straight into a document query.
What It Is
SwiftSearch's hotel-search API takes a filter object from the client and hands it to the database with minimal cleanup. The intended users filter by simple fields, but the same pass-through accepts far more expressive inputs than the UI ever offers. A solid mid-tier exercise in body-parameter NoSQL injection.
Who It's For
Testers comfortable with HTTP tooling who want focused practice on JSON-body injection.
Skills You'll Practice
- JSON-body NoSQL injection
- Expanding filter surfaces beyond the UI
- Document-database query shaping
- Recognising body-merge anti-patterns
- Manipulating structured request payloads
What You'll Gain
- Comfort reshaping JSON bodies to reach unintended behaviours
- A clear picture of body-merge risks in modern APIs
- Transferable skills for auditing any JSON-first backend
- Confidence moving between relational and document injection
Ready to hack SwiftSearch Hotels?
This challenge is free. Sign up and start hacking.