Role Riptide
Role Riptide is a project management portal for professional services teams with role-based access controls and client engagement workflows.
The Scenario
RoleRiptide is a role-based workflow tool used by professional services teams to manage engagements, approvals, and client deliverables.
An account manager claims they briefly saw a client record they shouldn't have access to, then it disappeared. The team suspects a subtle authorization edge case rather than an obvious breach. Your task is to audit the app from the outside, confirm whether cross-role visibility is possible, and demonstrate the maximum impact if the issue is exploitable.
Lab Intel
Synopsis
RoleRiptide have enlisted your services to investigate a suspected authorization flaw in their project management portal after an account manager briefly saw a client record they should not have had access to.
Architecture
An easy-rated lab running a single FastAPI container with SQLite and JWT-based auth. It is a compact, focused challenge designed to teach one core concept -- mass assignment leading to privilege escalation -- without the noise of multi-service architectures.
Who It's For
Ideal for beginners or those new to API security testing. You should be comfortable making HTTP requests with tools like curl or Burp Suite, and have a basic understanding of REST APIs and JSON payloads. No prior exploitation experience is required.
Skills You'll Practice
- Sending HTTP requests with curl, Burp Suite, or Postman
- Basic understanding of REST APIs and JSON
- Familiarity with user registration and authentication flows
What You'll Gain
- Mass assignment exploitation
- Role-based privilege escalation
- API endpoint discovery and enumeration