Trellis
A tiny project tracker for fully-remote teams. Sign up — and pay attention to which fields the backend trusts you to send.
The Scenario
Trellis is a two-person micro-SaaS run out of Lisbon by Marin Lima and Pia Costa. Five dollars a user per month, boards and threads and weekly digests, designed to be the one tool a small remote team needs and nothing more.
Marin built the signup endpoint on the same Sunday they shipped the marketing site. The frontend form sends three fields. The backend… is more accommodating.
Sign up for an account, look around — and notice what the dashboard hints exists but isn't accessible to you yet.
Lab Intel
Synopsis
Send the field they forgot you could.
Architecture
A beginner-friendly PHP + Apache project-tracker SaaS. The signup endpoint mass-assigns every POST field straight into the users table — including `role`. Submit `role=admin` alongside the normal three fields and the next page is the admin board export, where the flag is hiding.
Who It's For
Newcomers who've cleared an injection lab or two and are ready to learn that 'authentication' and 'authorization' are different bugs. The seventh WebVerse foundational, after Flower, Overdue, Corridor, Quotin, Tally, and Outbox.
Skills You'll Practice
- Reading a form's HTML to learn what the *frontend* sends
- Reading the backend's response shape and HTML for hints about what it *accepts*
- Crafting a curl POST or DevTools modification with extra fields
- Recognising the privilege jump from `role: user` to `role: admin`
What You'll Gain
- Vocabulary: mass assignment, over-posting, privilege escalation, allowlist vs denylist
- A mental model that input validation needs to be by field, not just by presence
- Confidence with a bug class that ships in Rails, Laravel, Django, and every hand-rolled CRUD endpoint