Overdue
A small-town library moved its catalog online last week. Sign in and have a look around.
The Scenario
Maple Hollow Public Library just switched from index cards to an online catalog.
Librarian Emma was doing most of it herself between front-desk shifts, and the
whole thing went live a week ago without anyone reviewing the code.
Patrons can browse the stacks, sign in, and see their own checkouts. Everything
looks clean on the surface — but libraries have always had privacy expectations
quietly baked into how they work, and it's worth checking whether those
expectations survived the move.
Lab Intel
Synopsis
A friendly-looking patron portal where the login check is working, but something else isn't.
Architecture
A beginner-friendly Ruby + SQLite library web app. Login works, signups are paused, and the catalog is perfectly ordinary — the interesting part is what a logged-in patron can see.
Who It's For
Newcomers who've solved one injection lab and are ready for a different mental model: authorization, not input parsing.
Skills You'll Practice
- Reading URLs as data structures
- Comparing what the UI gives you against what the server is willing to give you
- Basic checkout-style request manipulation
What You'll Gain
- A concrete feel for why 'logged in' and 'allowed' are two different checks
- Vocabulary for the single most common real-world access-control bug
- A second solve in a very different shape from your first