Headcount
Headcount's compensation report aggregation endpoint has a debug parameter that was never removed from production. The org chart reveals where to look.
The Scenario
Headcount's engineering team added an include_raw parameter to the aggregation endpoint for debugging during the compensation review sprint. A TODO comment in the org chart template reminded them to remove it. Neither the comment nor the parameter made it into the cleanup ticket. A regular employee account is enough to pull full compensation report data.
Challenge Intel
Synopsis
A debug include_raw parameter on the HR reports aggregation endpoint was never gated by role — any authenticated employee can trigger it.
What It Is
GET /api/hr/reports/aggregate?group_by=department returns aggregate stats. Adding include_raw=true triggers a code path that embeds raw compensation report documents in the response. The endpoint checks req.session.role === 'hr_admin' for the normal path but the include_raw branch runs before that check. The flag is in the executive_notes field of one of the embedded report documents. The HTML comment <!-- TODO: remove include_raw before prod --> in orgchart.html is the discovery hint.
Who It's For
Players comfortable reading API JSON responses and looking for debug parameters in source code.
Skills You'll Practice
- Finding debug artifacts in HTML source
- Discovering undocumented API parameters
- Reading nested JSON to locate sensitive data
- Understanding how access control ordering bugs create IDOR
What You'll Gain
- How debug parameters become high-severity IDOR vulnerabilities
- Access control checks must wrap all code paths, not just the main branch
- TODO comments in source are often a valid attack surface hint