WEBVERSE

Loading...

LinkLapse
mediumPro

LinkLapse

LinkLapse is a link-shortening and campaign-tracking platform with OAuth-based account linking, an internal support console, and a logging API.

oauth-linking-abuseaccount-takeoverxssadmin-bot-exfiltrationinternal-api-leak
flaskpythonsqliteoauth
Unlock with Pro

The Scenario

LinkLapse is a link-shortening and campaign-tracking provider used by marketing teams to distribute time-sensitive promos and measure conversions.

A high-value client reported that restricted campaign dashboards were accessible from unexpected sessions, and support can't reproduce it reliably. The company wants an end-to-end security verification of the portal and any internal admin flows that might be reachable. You're investigating as an attacker to determine whether the platform can be abused to access customer data or internal operations.

Lab Intel

Synopsis

LinkLapse have enlisted your services to perform a security assessment of their link-shortening and campaign-tracking platform. A high-value client reported unauthorized access to restricted campaign dashboards, and the company needs you to determine whether an attacker can abuse the portal to reach customer data or internal operations.

Architecture

A medium-difficulty lab featuring a single-container Flask application that serves multiple subdomains -- a marketing portal, OAuth identity provider, blog with comments, ops triage chat, and internal logging API. The challenge chains information disclosure into account takeover into XSS-driven exfiltration, requiring you to pivot across interconnected features within the same application.

Who It's For

Designed for intermediate penetration testers comfortable with web application fundamentals who want to practice multi-step attack chains. You should have prior experience with browser developer tools, OAuth flows, and basic XSS concepts before attempting this lab.

Skills You'll Practice

  • Understanding of OAuth 2.0 authorization and account-linking flows
  • Familiarity with browser developer tools and JavaScript source analysis
  • Basic knowledge of XSS payload construction and delivery
  • Experience with HTTP request interception and manipulation

What You'll Gain

  • OAuth account-linking abuse
  • Automated workflow exploitation via XSS
  • JavaScript bundle reconnaissance
  • Cross-service data pivoting
  • Internal credential extraction

Ready to hack LinkLapse?

Upgrade to Pro to unlock this lab and the full library.

View Pro Plans