Fixture
ScoutLens is an Amsterdam-based sports analytics SaaS. BOLA on the scouting report API leaks an internal analytics subdomain, enabling wkhtmltopdf SSRF through a wildcard allowlist bypass to reach an unauthenticated debug console that exposes player contract data.
The Scenario
ScoutLens is an Amsterdam-based sports analytics SaaS used by professional clubs across Europe. Their platform spans a scouting portal, a developer API, a PDF reporting service, and an internal analytics backend. You have been granted a standard analyst account for a security review. Dig into the platform and see how far a legitimate user can reach — across services, databases, and internal infrastructure.
Lab Intel
Synopsis
ScoutLens have engaged you to assess the web infrastructure behind their sports analytics platform. The stack spans a scouting portal, developer API, PDF reporting service, and internal analytics backend. Your goal is to determine whether a legitimate analyst account can be leveraged to reach sensitive data across service boundaries.
Architecture
A medium-difficulty multi-service lab built on four interconnected subdomains — app.scoutlens.io (Express.js scouting portal), api.scoutlens.io (FastAPI developer portal), reports.scoutlens.io (Flask + wkhtmltopdf PDF service), and an internal analytics backend reachable only via Docker's embedded DNS. The five-step attack chain requires chaining BOLA, information disclosure, and SSRF with a wildcard allowlist bypass to reach an unauthenticated SQL debug console and exfiltrate player contract data.
Who It's For
Built for intermediate penetration testers comfortable with API security testing and HTTP interception. You should understand REST authorization flaws, be able to read and manipulate JSON request bodies in a proxy, and have a basic grasp of SSRF concepts before attempting this lab.
Skills You'll Practice
- API authorization testing — identifying and exploiting missing ownership checks on object-level endpoints
- HTTP traffic interception and request manipulation with Burp Suite or equivalent
- SSRF concepts — understanding how server-side fetchers can be redirected to internal targets
- Allowlist/blocklist analysis and bypass via subdomain matching
- Ability to chain artifacts across multiple steps (subdomain → SSRF target → console path → flag)
What You'll Gain
- BOLA exploitation via sequential integer ID enumeration
- PDF export engine fingerprinting via response headers
- SSRF via user-controlled template_url parameter
- Wildcard allowlist bypass using a discovered internal subdomain
- Unauthenticated internal endpoint access via SSRF chaining
- Arbitrary SQL execution through an exposed debug console