Broken Access Control Lab

Exploit IDOR, privilege escalation, and forceful browsing vulnerabilities

Level 1: IDOR - Insecure Direct Object Reference (Easy) Level 2: Privilege Escalation - Horizontal (Medium) Level 3: Privilege Escalation - Vertical (Medium) Level 4: Forceful Browsing (Hard)
Medium Level 3: Privilege Escalation - Vertical

Objective

Access an admin-only endpoint as a regular user. The access control check is flawed.
Login as a regular user: POST /api/login {"username":"alice","password":"alice123"}
Then try: POST /api/admin/flag with alice's token.

Test Credentials

alice: alice123(user, id:1)
bob: bob456(user, id:2)
charlie: charlie789(user, id:3)
admin: admin321(admin, id:4)
API Request
Quick Login:
API Response
Waiting for request...
// Response will appear here
FLAG CAPTURED!
Hint: The admin endpoint checks if the role field exists in the token, not if it equals "admin". Since every user's token contains a role field, any logged-in user can access the admin endpoint at POST /api/admin/flag.