Ottergram is a social-media-style web application on Bugforge.io where users browse otter photos. The attack chain is two-stage: first, find functionality you shouldn't be able to reach. Then, find a way past the gate that's supposed to stop you.
Objective: Log in as a regular user and map the application's functionality — understand what endpoints and features are available to a normal user.
Context: The target is the Ottergram application on Bugforge.io. Register or log in as a standard (non-admin) user. The app resembles an Instagram-style feed for otter photos, with a home feed, post creation, and a profile section visible in the bottom navigation bar.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Browse every accessible page and perform actions a normal user can do. Pay attention to all HTTP requests being made — use Burp Suite or your browser's DevTools to capture them.
Look for navigation elements, settings icons, or UI components that hint at functionality beyond the normal user role — especially anything relating to administration or user management.
The app has a settings/gear icon visible in the top-right of the feed. Click it and observe the request it generates. Also note the profile and post-management endpoints.
Log in as a regular user (e.g., otter_lover). Browse the home feed and use Burp Suite to capture all requests. Note the gear/settings icon in the top navigation bar. Identify the API endpoints being called for feed, profile, and settings actions.
Validation criteria: Student maps at least the feed endpoint, profile endpoint, and settings/admin endpoint by intercepting traffic in Burp Suite.
[solution revealed]
Solution revealed