Ottergram is a social-media-style web application on Bugforge.io where users browse otter photos. The attack chain is two-stage: first, find functionality you shouldn't be able to reach. Then, find a way past the gate that's supposed to stop you.
Objective: Bypass the access control on the admin endpoint by changing the HTTP method (verb) of the request, gaining unauthorised access to admin functionality.
Context: The admin endpoint returns 403 on the standard HTTP method. The server-side access control middleware may only check the method that was used during its ACL configuration, leaving other verbs unprotected. The VerbTamper Burp extension (https://github.com/7s26simon/VerbTamper) can automate this, or you can do it manually in Burp Repeater.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
HTTP servers can handle the same URL with different verbs. If the access control only blocks one verb, other verbs may pass through to the underlying logic unchecked.
This is HTTP Verb Tampering. The ACL is enforced only for certain HTTP methods. Try alternative verbs on the same admin endpoint URL.
In Burp Repeater, change the request method from GET (or POST) to an alternative such as POST, PUT, PATCH, or HEAD. Try each one against the admin endpoint. One of them will return a 200 OK and reveal admin content instead of 403.