Salt Brook Pilates
Salt Brook Pilates is a founder-led studio in the Hudson Valley running reformer classes out of two storefronts. The new profile endpoint went live without a strong-params review — the form only ever submitted four fields, so nobody worried about what else the API would accept.
Room Description
https://dashboard.webverselabs-pro.com/challenges/rider
Scenario
Salt Brook Pilates is a founder-led studio in the Hudson Valley running reformer classes out of two storefronts. Drop-ins are $32, monthly unlimited is $260, and the booking site was rewritten last spring by a small contract team. The new profile endpoint went live without a strong-params review — the form only ever submitted four fields, so nobody worried about what else the API would accept.
Objective
A small two-location reformer-Pilates studio with online class booking. Members manage their profile and book sessions; the staff side handles daily reconciliation. The profile editor is friendlier to JSON than it should be.
Initial Analysis
A pilates studio web application.
From the navigation menus we have the following endpoints:
<nav class="nav__links" aria-label="Primary">
<a class="nav__link is-active" href="/">Home</a>
<a class="nav__link " href="/classes">Classes</a>
<a class="nav__link " href="/instructors">Instructors</a>
</nav>
<div class="nav__cta">
<a class="btn btn--ghost btn--mini" href="/login">Sign in</a>
<a class="btn btn--primary btn--mini" href="/register">Become a member</a>
</div>
Classes page has a lot of options, and all of the options state that we need to sign in:
The instructors page has people that we can use as potential usernames and what not:
Finding the bug
We can register an account, so we should definitely do so:
The registration looks normal:
After registering/logging in we get sent to /account/profile:
We can edit our member details, or well, our name specifically.
Oooh, okay great, we have the rest of the field names now, we can try and edit some of them, like the one called role.
Exploitation
Send the request over to Burp Repeater, add in an extra field in the body of the request to make it the following:
{"display_name":"minatour123","phone":"","dietary_pref":"","emergency_contact":"","role":"admin"}
After refreshing the page we can see an extra tab available called "Staff".
Opening up the staff page gives us the flag:
