Salt Brook Pilates
A small two-location reformer-Pilates studio with online class booking. Members manage their profile and book sessions; the staff side handles daily reconciliation. The profile editor is friendlier to JSON than it should be.
The Scenario
Salt Brook Pilates is a founder-led studio in the Hudson Valley running reformer classes out of two storefronts. Drop-ins are $32, monthly unlimited is $260, and the booking site was rewritten last spring by a small contract team. The new profile endpoint went live without a strong-params review — the form only ever submitted four fields, so nobody worried about what else the API would accept.
Challenge Intel
Synopsis
PATCH /api/profile merges every key in the JSON body into the user record. Sending role=admin promotes the player, unlocking /staff/billing where the flag is rendered.
What It Is
The profile-edit form on /account/profile renders four inputs (display_name, dietary_pref, emergency_contact, phone) and submits them as a JSON PATCH to /api/profile. The handler iterates over every key in request.json and writes it directly onto the in-memory user dict — no allowlist, no schema, no strong params. The user model also carries a role attribute (default "member") that gates /staff/billing. A player who replays the PATCH with an extra "role": "admin" key is promoted; the topnav then renders the conditional "Staff" link and /staff/billing returns the flag inside a "Reconciliation reference" pill.
Who It's For
Early-stage testers who have seen HTTP IDOR but want to try a mass-assignment-style promotion via a JSON API. No tooling beyond Burp or curl required.
Skills You'll Practice
- Reading a JSON PATCH request in the browser network panel
- Replaying an authenticated request with extra fields via curl or Burp
- Recognising mass-assignment / strong-params lapses in REST endpoints
What You'll Gain
- Pattern recognition for endpoints that merge request.json directly into a model
- Understanding why server-controlled fields (role, is_admin, plan) must never be writable from a public profile API
- First-hand experience promoting an account by sending a field the UI never rendered
Ready to hack Salt Brook Pilates?
This challenge is free. Sign up and start hacking.