Hi there,
I’m writing here because I’m stuck since a while in the Skill Assessment II in the noSQL Injection module.
I’m pretty sure the username parameter is vulnerable because inputing a " cause an error 500.
I tried to re-imagine what the backend is doing re-using what I learned in the module:
this.username === "<username>"
Because doing this and replace with a " occurs an error too, which match with the behavior of the target.
But when I try to inject the well known payload " || true || "" == ", that returns a true on my test, it fails, the credentials are incorrect.
I also tried a simpler attack passing the parameters username[$ne]=“” but it fails complaining about the missing parameter username, I guess the code on the server side is sanitized correctly agains this kind of attack.
I can’t find another way to do it, any help would be appreciated