Tally
A solo bookkeeper's tiny invoice-tracking SaaS. Sign in with a real account and look at what the server hands you on the way back.
The Scenario
Tally is a one-person micro-SaaS run out of a basement office in Asheville, North Carolina. Maren Ostlund built it for herself in 2023 — she'd been doing books for small studios and freelancers for twelve years and was tired of every existing tool. Last spring she opened it up to other solo bookkeepers for $9 a month.
Login uses signed tokens, "the industry-standard way." The signing secret was chosen at 1am the night before launch and hasn't been changed since.
Sign up for a free account, look around, and pay attention to what the server is handing you on the way in.
Lab Intel
Synopsis
Crack what was never meant to be cracked.
Architecture
A beginner-friendly Node.js + Express invoice-tracker SaaS that authenticates with HS256 JWTs in an Authorization: Bearer header. The signing secret is a single word from rockyou — no leak, no source disclosure, no exotic algorithm tricks. Capture a real token, crack it, forge one with role:admin, replay against /api/admin/exports.
Who It's For
Newcomers comfortable with one or two injection labs who are ready to leave the SQL world for the auth-token world. The fifth WebVerse foundational, after Flower, Overdue, Corridor, and Quotin — and the first that introduces the modern web's most common auth primitive.
Skills You'll Practice
- Decoding JWTs by hand and with jwt.io / jwt-cli
- Spotting role / scope / is_admin claims as forgery targets
- Running hashcat mode 16500 (or jwt-cracker) against a captured JWT
- Re-signing a forged token in three lines of Node or Python
- Replaying a forged token via Authorization: Bearer with curl
What You'll Gain
- Vocabulary: JWT, HS256, claims, signing secret, token forgery, privilege escalation
- A mental model that 'signed' and 'secret' are not the same word
- Confidence with the single most common JWT bug shipping in production today