WEBVERSE

Loading...

Poppet
masterFree

Poppet

Poppet is a boutique toy studio with interconnected services handling storefront, fulfillment, CRM, and payroll.

sqlibolabrute-forcejwt-weak-secretssti-jinja2xxe-svg-uploadcredential-leakplaintext-passwordswaf-bypassmulti-service
pythonflaskmysqlnginxdockerjwtlxml
Start This Lab

The Scenario

Poppet is a boutique toy studio in Asheville, NC -- handcrafted wooden figurines, plush animals, and educational kits. Their internal tooling has grown organically: a webshop, integration APIs, a CRM, and a payroll system. A recent Toy Design Studio launch lets artists upload concept sketches directly. You have been brought in to assess their web infrastructure.

Lab Intel

Synopsis

Poppet have enlisted your services to assess the web infrastructure behind their boutique toy studio. Their tooling has grown organically across a webshop, integration APIs, CRM, and payroll system, and they need to know whether an external attacker can chain weaknesses across these surfaces to reach sensitive employee and financial data.

Architecture

A master-difficulty lab featuring eight interconnected services -- an nginx gateway, MySQL database, main web application, online shop, Connect API, CRM, payroll system, and dispatch API -- representing a realistic small-business technology stack. The attack path spans six stages across four distinct services, requiring SQL injection, BOLA exploitation, brute-forcing, credential pivoting, JWT forgery, and SSTI with WAF bypass, making it the most complex multi-service lab on the platform.

Who It's For

Built for advanced penetration testers ready for a long-form, multi-service engagement that mirrors a real-world assessment. You should have strong experience with SQL injection, API security testing, JWT manipulation, and server-side template injection before attempting this lab.

Skills You'll Practice

  • Strong SQL injection skills (error-based and blind techniques)
  • Understanding of JWT structure, signing, and secret cracking
  • Familiarity with IDOR/BOLA patterns in REST APIs
  • Knowledge of server-side template injection (Jinja2)
  • Experience with WAF/filter bypass techniques
  • Comfort with multi-service pivoting and credential management

What You'll Gain

  • SQL injection via integration API
  • BOLA exploitation in password recovery
  • Reset code brute-forcing
  • Cross-service credential pivoting
  • JWT weak secret cracking and token forgery
  • Jinja2 SSTI with blocklist bypass

Ready to hack Poppet?

This lab is free. Sign up and start hacking.

Start This Lab