Ottergram is a social-media-style web application on Bugforge.io where users browse otter photos. The attack chain is two-stage: first, find functionality you shouldn't be able to reach. Then, find a way past the gate that's supposed to stop you.
Objective: Identify endpoints or functionality that are intended to be restricted to admin users only.
Context: You are authenticated as a standard user. The application likely has administrative endpoints that are not linked from the regular user UI but may still be accessible.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Look in the captured traffic for endpoints that reference admin roles, user management, or moderation. Try navigating to those paths directly — see how the server reacts.
This is a Broken Access Control (BAC) scenario. Try accessing admin-related URL paths directly, or look for endpoints in the captured traffic that reference admin roles, user management, or moderation.
Try navigating to paths such as /admin, /api/admin, /admin/users, or similar. Alternatively, look at the captured Burp requests for any endpoint that returns a 403 or redirects you away — those are your targets.