Switchback
Switchback is a partner integration suite bundling a secrets vault, internal webmail, and referral APIs under a single multi-tenant domain.
The Scenario
They brand everything as "zero trust," "secure by default," "isolated," and "battle-tested.", Their suite bundles a secrets Vault, internal mail access, and dashboards under one domain.
The biggest weakness isn't crypto -- it's the assumptions made in glue code between services.'
Lab Intel
Synopsis
Switchback have enlisted your services to stress-test their partner integration suite -- a multi-tenant platform bundling a secrets vault, internal webmail, and referral APIs under one domain -- after internal doubts surfaced about the isolation guarantees between tenants and services.
Architecture
A medium-rated lab built from six Docker services (nginx proxy, main site, API, mail, vault, and MySQL) representing a multi-tenant SaaS platform. Its distinctiveness lies in the chain of cross-service boundary violations: tenant isolation bypass, credential leakage, blind SQL injection, MFA bypass, and server-side template injection -- each step leveraging a different service's weakness.
Who It's For
Built for intermediate testers who have completed beginner labs and are ready for multi-service, multi-step attack chains. You should be comfortable with subdomain enumeration, HTTP proxy tools, and have a working knowledge of SQL injection syntax and template engines.
Skills You'll Practice
- HTTP proxy usage and subdomain/virtual host discovery
- Familiarity with SQL injection (especially time-based blind techniques)
- Understanding of session/cookie-based authentication
- Basic knowledge of template engines (Jinja2 or similar)
- Comfort navigating multi-service web architectures
What You'll Gain
- Tenant/workspace boundary bypass
- Cross-service credential pivoting
- Time-based blind SQL injection
- MFA bypass via extracted one-time codes
- Jinja2 server-side template injection (SSTI)