Expected Findings
- Login query passes JSON sub-objects directly into Mongo as operators.
- `{$ne:""}` matches any non-empty password.
- Account list endpoint accepts `{$gt:""}` to enumerate users.
Mongo Login
NoSQL Operator Injection
The login route hands the request body straight to Mongo, so operator objects like `$ne` and `$gt` flip authentication into a wildcard.
Login probe
Primary Flows
- Login POST {username, password:{$ne:""}}
- Account list POST {role:{$gt:""}}
Signals
Query
db.users.findOne(req.body) // no schema check