VoltCore Energy
VoltCore's member portal lets you edit your profile in-place. The update endpoint takes a JSON body and passes it straight to the database driver. There's more in your record than the form shows.
The Scenario
VoltCore Energy launched in 2019 targeting the endurance-sports market with a cleaner label and higher caffeine-per-dollar than the legacy players. The loyalty portal was built by a contractor on a tight deadline — the profile update was wired up on the last sprint and went live before code review. The contractor's Slack account has been deactivated. The ticket is unassigned.
Challenge Intel
Synopsis
Post-auth privilege escalation via MongoDB update operator injection on the profile endpoint.
What It Is
The profile update endpoint passes the raw request body directly to NeDB's update function. NeDB — like MongoDB — interprets top-level keys beginning with $ as operators. An authenticated user can supply their own $set operator with arbitrary fields, including role.
Who It's For
Players who have done basic NoSQL auth bypass and want to see what post-auth injection looks like.
Skills You'll Practice
- MongoDB/NeDB update operator mechanics
- Post-authentication privilege escalation
- Identifying mass-assignment vulnerabilities in document databases
- Intercepting and reshaping JSON API requests
What You'll Gain
- Understanding why {$set: req.body} and req.body are dangerously different
- Experience escalating privileges through update injection rather than auth bypass
Ready to hack VoltCore Energy?
Upgrade to Pro to unlock this challenge and the full library.