Login again?! (Note: You don't necessarily have to solve Another Login Challenge first)
Beginner Hint 1: Overview of the Challenge
- In
index.js, a simple login feature is implemented. - It appears to use MongoDB to check whether a user with the submitted
usernameandpasswordexists. - It does not seem possible to create your own user. Also, a user called
adminis registered, but guessing that password would be impossible.
Beginner Hint 2: How to Approach the Challenge
- As mentioned in the comments, it seems possible to send data in both
application/x-www-form-urlencodedandapplication/jsonformats. Therefore, if you use JSON, you can send non-string values inusernameandpassword. - The login form alone might not allow you to send the intended data. For methods of sending data without using a browser, refer to my writeup for I wanna be the Admin.
Beginner Hint 3: When you are really stuck
- Try searching for MongoDB injection or NoSQL injection.