noSQL injection Skills Assessment II

Hi there,

I’m writing here because I’m stuck since a while in the Skill Assessment II in the noSQL Injection module.
I’m pretty sure the username parameter is vulnerable because inputing a " cause an error 500.

I tried to re-imagine what the backend is doing re-using what I learned in the module:

this.username === "<username>"

Because doing this and replace with a " occurs an error too, which match with the behavior of the target.

But when I try to inject the well known payload " || true || "" == ", that returns a true on my test, it fails, the credentials are incorrect.

I also tried a simpler attack passing the parameters username[$ne]=“” but it fails complaining about the missing parameter username, I guess the code on the server side is sanitized correctly agains this kind of attack.

I can’t find another way to do it, any help would be appreciated

Ok found it, I struggle so much before understand what to look for…