Solo Founder SaaS

Indie SaaS

The dashboard preloads another customer record, exposes billing config in JavaScript, lets the browser self-upgrade a paid plan, and uses weak form validation throughout.

Back to hub Reload scenario

Expected Findings

Anonymous users can read any account by changing the user ID.
Static config and .env files disclose Stripe and session material.
Paid subscription upgrade trusts client-supplied payment state.
Admin surface is reachable without authentication.
Signup validation is almost entirely client-side and trivially bypassed.

Primary Flows

Victim account API BOLA / IDOR example
Subscription status Current starter plan for a user
Upgrade endpoint POST plan + paid flag to unlock paid tier
Frontend config Billing keys and internal flags
.env file Local env exposed over HTTP
Admin dashboard Unauthenticated admin area

Signals

Validation

if (email.includes("@")) allowInvite(email)

Paid Gate

if (form.paid === "true" || form.plan !== "starter") grantPlan(form.plan)

Billing Config

window.__BILLING__ = { stripePublicKey: "pk_test_founder_mode" }