Pivot HR
A small-business HR dashboard. The two-factor screen is doing its job. The dashboard itself, it turns out, is not.
The Scenario
Pivot HR is a six-person SaaS for indie small businesses — payroll, time-off, the occasional 1099. They wired up MFA in a hurry after a customer asked for SOC 2. The MFA gate works perfectly. It just doesn't gate anything past the front door.
Challenge Intel
Synopsis
/login -> /mfa -> /dashboard is the intended flow. /dashboard only checks for a session cookie, not the mfa_verified flag. Type the URL directly and you're in.
What It Is
Session cookie is set on /login with mfa_verified=false. /mfa is a real OTP form that always rejects. /dashboard renders the flag if any session cookie is present — it never checks the flag.
Who It's For
Players who know what MFA is and notice the URL bar. No tooling.
Skills You'll Practice
- Recognising route-order trust assumptions
- Direct navigation past front-end-only gates
What You'll Gain
- Auth state must be checked at every protected endpoint
- MFA must be a server-side guard, not a client-side redirect