Ottergram is a social-media-style web application on Bugforge.io where users browse otter photos. The attack chain is two-stage: first, find functionality you shouldn't be able to reach. Then, find a way past the gate that's supposed to stop you.
Objective: Log in as a regular user and map the application's functionality — understand what endpoints and features are available to a normal user.
Context: The target is the Ottergram application on Bugforge.io. Register or log in as a standard (non-admin) user. The app resembles an Instagram-style feed for otter photos, with a home feed, post creation, and a profile section visible in the bottom navigation bar.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Browse every accessible page and perform actions a normal user can do. Pay attention to all HTTP requests being made — use Burp Suite or your browser's DevTools to capture them.
Look for navigation elements, settings icons, or UI components that hint at functionality beyond the normal user role — especially anything relating to administration or user management.
The app has a settings/gear icon visible in the top-right of the feed. Click it and observe the request it generates. Also note the profile and post-management endpoints.
Chat with a spoiler-safe tutor for this step. It uses only this lab spec and gives the smallest useful nudge first.
Tell the tutor what you tried, where you got stuck, or paste the response/error you are seeing.
Enjoying Hintru? Buy me a coffee ☕ ☕