#Broken Access Control
16 postsBugForge - Weekly - Galaxy Dash (Mar 26, 2026)
This walkthrough demonstrates a broken access control vulnerability in a team management application. The application exposes user creation, update, and…
BugForge - Weekly - Mesanet Portal (Mar 22, 2026)
This walkthrough demonstrates an OTP bypass and broken access control chain against the Mesanet Portal. Directory enumeration reveals a dev portal protected by…
BugForge - Daily - Cafe Club (Mar 15, 2026)
The Cafe Club application contains a Business Logic Flaw in its PUT /api/profile endpoint. The endpoint accepts a user-controlled JSON body and applies all…
BugForge - Daily - Ottergram (Feb 28, 2026)
The Ottergram application contains an HTTP Verb Tampering vulnerability combined with an Insecure Direct Object Reference (IDOR) flaw in its comment…
BugForge - Daily - Gift Lab (Feb 19, 2026)
The Gift Lab application contains an Insecure Direct Object Reference (IDOR) vulnerability in its list sharing functionality. The application generates…
BugForge - Daily - Ottergram (Feb 14, 2026)
The Ottergram application contains a Broken Access Control vulnerability in its comment update endpoint. After systematically analyzing the application's…
BugForge - Daily - Ottergram (Feb 7, 2026)
The Ottergram application contains a Missing Function Level Access Control vulnerability in its administrative post deletion endpoint. The application…
BugForge - Daily - Ottergram (Jan 31, 2026)
The Ottergram application contains an Insecure Direct Object Reference (IDOR) vulnerability in its profile update functionality. While the application…
BugForge - Daily - Tanuki (Jan 27, 2026)
This challenge demonstrates an Insecure Direct Object Reference (IDOR) vulnerability in the profile update functionality. The application passes the username…
BugForge - Daily - Sokudo (Jan 22, 2026)
This challenge demonstrates a broken access control vulnerability exploited through HTTP verb tampering on a typing test statistics endpoint. After…
BugForge - Daily - Copy Pasta (Jan 21, 2026)
This issue is a classic example of broken access control caused by trusting user-supplied object identifiers. A password reset endpoint accepts a userId…
BugForge - Daily - Shady Oaks Finance (Jan 16, 2026)
Broken access control was identified where administrative endpoints were exposed without proper server-side authorization checks. By enumerating…
BugForge - Daily - Ottergram (Jan 10, 2026)
The application exposes a GraphQL API with introspection enabled in production, allowing attackers to query the full API schema and discover sensitive…
BugForge - Daily - Copy Pasta (Jan 7, 2026)
The CopyPasta application allows users to create and share code snippets with options to make them public or private. The snippet retrieval endpoint…
BugForge - Daily - Shady Oaks Finance (Jan 2, 2026)
This vulnerability is a broken access control issue caused by insecure design, where the application trusts client-supplied input to set sensitive user…
BugForge - Daily - Sokudo (Jan 1, 2026)
Exploited broken access control via HTTP verb tampering on the /api/stats endpoint—POST was blocked (404) but PUT lacked authorization, allowing stats…