Ottergram is a social-media-style web application on Bugforge.io where users browse otter photos. The attack chain is two-stage: first, find functionality you shouldn't be able to reach. Then, find a way past the gate that's supposed to stop you.
Objective: Confirm that the access control check on the admin endpoint is enforced but potentially bypassable, by sending the blocked request through Burp Suite with your regular-user session token.
Context: You have identified an admin endpoint. Your regular-user session cookie/token is available in Burp Suite. The server currently returns 403 for this endpoint.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Send the blocked request to Burp Repeater and replay it with your own session. Observe exactly what the server returns — note the HTTP status code and response body.
Access control can sometimes be enforced at the routing/middleware layer rather than the endpoint logic layer. Consider whether changing something about the *request itself* — not the credentials — might bypass the check.
The access control may be enforced only for specific HTTP methods (e.g., GET or POST). Try sending the same request but with a different HTTP verb — such as PUT, PATCH, HEAD, or OPTIONS — to the same admin endpoint in Burp Repeater.