diff --git a/tests/fixtures/set_2_challenge13.key b/tests/fixtures/set_2_challenge13.key
new file mode 100644
index 0000000..b2b31f2
--- /dev/null
+++ b/tests/fixtures/set_2_challenge13.key
@@ -0,0 +1 @@
+75dfa8b6e29a435c714b574431aa3024
\ No newline at end of file
diff --git a/tests/src/test_UserProfile.py b/tests/src/test_UserProfile.py
new file mode 100644
index 0000000..ec88e94
--- /dev/null
+++ b/tests/src/test_UserProfile.py
@@ -0,0 +1,48 @@
+import unittest
+import src.utils.bytecodec as bytecodec
+
+from secrets import token_bytes
+from src.UserProfile import urlencode_to_dict, profile_for, UserProfile
+
+class UserProfileTest(unittest.TestCase):
+
+    def test_urlencode_to_dict(self):
+        expected = {
+            'foo': 'bar',
+            'baz': 'qux',
+            'zap': 'zazzle'
+        }
+        actual = urlencode_to_dict('foo=bar&baz=qux&zap=zazzle')
+        self.assertEqual(expected, actual)
+
+    def test_profile_for(self):
+        expected = 'email=foo@bar.com&uid=10&role=user'
+        actual = profile_for('foo@bar.com')
+        self.assertEqual(expected, actual)
+        expected = 'email=foo@bar.comroleadmin&uid=10&role=user'
+        actual = profile_for('foo@bar.com&role=admin')
+        self.assertEqual(expected, actual)
+    
+    def test_attack_profile(self):
+        key = self.get_static_key()
+        profile = UserProfile(key)
+        encrypted = profile.encrypted_profile_for('foo@bar.com')
+        decrypted = profile.decrypt_profile(encrypted)
+        expected = {
+            'email': 'foo@bar.com',
+            'uid': '10',
+            'role': 'user'
+        }
+        self.assertEqual(expected, decrypted)
+        '''
+        email=fooooooooo
+        @bar.commmmmmmmm
+        &uid=10&role=use
+        r
+        '''
+
+    def get_static_key(self):
+        with open('./tests/fixtures/set_2_challenge13.key', 'r') as fh:
+            hex_key = fh.read()
+        key = bytecodec.hex_to_bytes(hex_key)
+        return key
\ No newline at end of file
diff --git a/tests/test_set2.py b/tests/test_set2.py
index 88abfe5..b97053c 100644
--- a/tests/test_set2.py
+++ b/tests/test_set2.py
@@ -64,6 +64,18 @@ def test_set2_challenge12(self):
         plaintext = b''.join([i.to_bytes() for i in plaintext_bytes])
         self.assertEqual(expected, plaintext) # cool af
 
+    def test_set2_challenge13(self):
+        
+        return
+    
+    def test_set2_challenge14(self):
+        '''
+            find your bytes like a canary, make sure your blocks span 3 blocks
+            e.g. any number of random bytes || yours || target
+
+        '''
+
+