Tear Sheet
A web-based color-palette tool where the freemium "preview" feature was bolted on in a hurry. The shortcut the team took is sitting in plain sight.
The Scenario
Tear Sheet is a palette-generator used by indie designers and brand studios. Free accounts can browse community palettes; paid accounts can export themes through the internal themes API. The team gated the export by checking an Authorization header on the backend, but the frontend needed a way to preview themes without prompting for login — so a contractor wired in a "preview key" and shipped it.
Challenge Intel
Synopsis
A hardcoded bearer token in the production JS bundle grants access to an authenticated-only themes API.
What It Is
The Express backend serves a minified static bundle at /assets/main.bundle.js. Inside the bundle is a string constant PREVIEW_API_KEY assigned to a token of the form ts_live_pk_<hex>. The server's /api/v1/themes/internal endpoint accepts that token in an Authorization: Bearer header and returns the FLAG environment variable in its JSON response. Grep the bundle for ts_live_pk_, then curl the endpoint with the recovered token.
Who It's For
Players who can read minified JS and craft a Burp/curl request with a Bearer header.
Skills You'll Practice
- Grepping minified JS for credential-shaped strings
- Replaying a leaked bearer token against an authed API endpoint
What You'll Gain
- An obvious example of why client-side secrets are not secrets
- Comfort moving from a static asset find to an authed API call
Ready to hack Tear Sheet?
Upgrade to Pro to unlock this challenge and the full library.