OrbitDesk
OrbitDesk is a client portal and project hub with GraphQL APIs, document sharing, signed link delivery, and an internal diagnostics console.
The Scenario
OrbitDesk is a premium client portal and project hub used by boutique consultancies to share documents, coordinate workstreams, and automate customer onboarding.
The company recently rolled out a new identity service and a next-gen GraphQL API powering the portal. A separate internal ops console helps engineers validate integrations and run diagnostics when customers report issues.
You have been asked to assess how an external attacker could chain small weaknesses across these surfaces into a real incident, while keeping the experience realistic: lots of normal features, believable copy, and multiple dead ends that feel like a true web assessment.
Lab Intel
Synopsis
OrbitDesk have enlisted your services to assess their client portal and project hub before a major enterprise rollout. The company recently deployed a new identity service and GraphQL API alongside an internal ops console, and they need to know whether an external attacker can chain weaknesses across these surfaces into a real compromise.
Architecture
A hard-difficulty lab with seven interconnected services -- an nginx gateway, marketing site, client portal, auth service, GraphQL API, file delivery service, and an internal ops console -- running on an isolated Docker network. The attack path spans five distinct stages from weak token exploitation through GraphQL IDOR, path traversal, SSRF, and finally command injection, making it one of the more architecturally complex labs on the platform.
Who It's For
Built for experienced penetration testers who are comfortable with multi-service web environments and want to practice chaining vulnerabilities across different application layers. You should have solid experience with API testing, token analysis, and an understanding of how internal services communicate before attempting this lab.
Skills You'll Practice
- Experience with GraphQL query construction and introspection
- Understanding of JWT structure and token-based authentication
- Familiarity with SSRF techniques and internal service pivoting
- Knowledge of path traversal and file access vulnerabilities
- Comfort with command-line tools for API interaction (curl, jq)
What You'll Gain
- Weak reset token exploitation
- GraphQL IDOR enumeration
- Signed URL path traversal
- SSRF through internal service chaining
- Command injection via diagnostics endpoint