Broken Access Control Lab

Exploit IDOR, privilege escalation, and forceful browsing vulnerabilities

Level 1: IDOR - Insecure Direct Object Reference (Easy) Level 2: Privilege Escalation - Horizontal (Medium) Level 3: Privilege Escalation - Vertical (Medium) Level 4: Forceful Browsing (Hard)
Hard Level 4: Forceful Browsing

Objective

Find and access a hidden debug endpoint that was left in production. No authentication is needed, but you need to guess the URL.
Think about common debug/admin paths... Try common patterns like /api/admin/debug/

Test Credentials

alice: alice123(user, id:1)
bob: bob456(user, id:2)
charlie: charlie789(user, id:3)
admin: admin321(admin, id:4)
API Request
Quick Login:
API Response
Waiting for request...
// Response will appear here
FLAG CAPTURED!
Hint: The endpoint is at /api/admin/debug/flag. It's a hidden debug endpoint that was left in production with no authentication at all. Try GET /api/admin/debug/flag without any token.