SwiftSearch Hotels
SwiftSearch's hotel API accepts a JSON filter body that's merged straight into a MongoDB-style query. Ordinary users filter by city and price; operators slip in just as easily.
The Scenario
SwiftSearch Hotels is a mid-sized booking aggregator out of Austin, founded in 2017 and now indexing about forty thousand properties across the US and Mexico. Last quarter the platform team finished a long "JSON-first" refactor of the search API — the old endpoint with a dozen positional query params was replaced by a single filter object the frontend builds and the backend hands to the database. The eng lead shipped it on a Friday with a note in the PR about coming back to tighten the filter shape; the ticket is still open.
Challenge Intel
Synopsis
A medium NoSQL injection lab where a JSON filter body is merged straight into a document query.
What It Is
SwiftSearch's hotel-search API takes a filter object from the client and hands it to the database with minimal cleanup. The intended users filter by simple fields, but the same pass-through accepts far more expressive inputs than the UI ever offers. A solid mid-tier exercise in body-parameter NoSQL injection.
Who It's For
Testers comfortable with HTTP tooling who want focused practice on JSON-body injection.
Skills You'll Practice
- JSON-body NoSQL injection
- Expanding filter surfaces beyond the UI
- Document-database query shaping
- Recognising body-merge anti-patterns
- Manipulating structured request payloads
What You'll Gain
- Comfort reshaping JSON bodies to reach unintended behaviours
- A clear picture of body-merge risks in modern APIs
- Transferable skills for auditing any JSON-first backend
- Confidence moving between relational and document injection
Ready to hack SwiftSearch Hotels?
This challenge is free. Sign up and start hacking.