Ottergram is a social-media-style web application on Bugforge.io where users browse otter photos. The attack chain is two-stage: first, find functionality you shouldn't be able to reach. Then, find a way past the gate that's supposed to stop you.
Objetivo: Log in as a regular user and map the application's functionality — understand what endpoints and features are available to a normal user.
Contexto: The target is the Ottergram application on Bugforge.io. Register or log in as a standard (non-admin) user. The app resembles an Instagram-style feed for otter photos, with a home feed, post creation, and a profile section visible in the bottom navigation bar.
Revela solo las que necesites. Claude lleva la cuenta de cuántas usaste para calibrar la retroalimentación.
Browse every accessible page and perform actions a normal user can do. Pay attention to all HTTP requests being made — use Burp Suite or your browser's DevTools to capture them.
Look for navigation elements, settings icons, or UI components that hint at functionality beyond the normal user role — especially anything relating to administration or user management.
The app has a settings/gear icon visible in the top-right of the feed. Click it and observe the request it generates. Also note the profile and post-management endpoints.
Chatea con un tutor anti-spoiler para este paso. Usa solo la especificación de este lab y empieza por la pista más pequeña que sirva.
Cuéntale qué probaste, dónde te atoraste, o pega la respuesta/error que estás viendo.
¿Te gusta Hintru? Buy me a coffee ☕ ☕