Swatch
RenderParlor's architectural visualization platform was built fast and shipped faster. Investigate their API to determine whether client project data is as private as the developers assumed.
The Scenario
RenderParlor is an Austin-based startup building SaaS tools for architectural visualization studios.
Their platform lets designers manage projects and deliver rendered images directly to clients.
A pentest engagement has revealed concerns about their API — specifically how project data is accessed.
Your job is to investigate whether any client project data can be accessed without authorization.
Lab Intel
Synopsis
RenderParlor have brought you in to assess their architectural visualization platform. Their API was built quickly and the team relied on UUID unguessability as an access control mechanism — your job is to determine whether that assumption holds.
Architecture
An easy-difficulty single-service lab built on Express.js and PostgreSQL, representing a realistic SaaS platform for architectural designers. The attack path runs across two API endpoints and requires no brute-forcing or special tooling — just careful observation of API responses and an understanding of how broken object level authorization manifests in practice.
Who It's For
Ideal for beginners getting started with API security testing and OWASP API Top 10 concepts. No prior exploitation experience is required — this lab is designed to teach the core BOLA pattern in a clean, approachable environment.
Skills You'll Practice
- Basic API interaction using a browser or proxy
- Reading and interpreting JSON API responses
- Understanding of authentication vs. authorisation
What You'll Gain
- Hands-on experience identifying information disclosure in REST APIs
- Practical understanding of BOLA (Broken Object Level Authorisation)
- Recognition of the UUID-as-capability antipattern