Ottergram is a social-media-style web application on Bugforge.io where users browse otter photos. The attack chain is two-stage: first, find functionality you shouldn't be able to reach. Then, find a way past the gate that's supposed to stop you.
Objective: Use the verb-tampered request to perform an admin-level action — such as reading other users' data, deleting posts, or modifying user roles — to demonstrate the full impact of the BAC + Verb Tampering chain.
Context: You now have a working bypass: a specific HTTP verb on the admin endpoint returns 200 as a regular user. Demonstrate the real-world impact by performing an action only an admin should be allowed to do.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
What admin actions can you now trigger? Try reading sensitive user data, modifying another user's content, or escalating privileges — all using the verb-tampered request as your template in Burp Repeater.
Replay the successful verb-tampered request but adjust the endpoint path or body to target admin actions: listing all users, viewing private posts, or performing moderation tasks.
Use the bypass method (the working HTTP verb) to navigate admin sub-endpoints. For example, if /api/admin/users returned 200, try fetching individual user data, accessing post moderation, or reading private content that is not visible in the normal user feed.
Chat with a spoiler-safe tutor for this step. It uses only this lab spec and gives the smallest useful nudge first.
Tell the tutor what you tried, where you got stuck, or paste the response/error you are seeing.
Enjoying Hintru? Buy me a coffee ☕ ☕