Broken Access Control
The bug almost every API has somewhere.
Chapter 02 of the roadmap. Work through each walkthrough below, or browse every topic.
-
Insecure Direct Object Reference: Unauthorized Order Access
How changing one number in the URL lets you read anyone's order on OopsSec Store.
-
Open Redirect: Accessing Internal Pages via Login Redirect
Exploit an unvalidated redirect parameter on OopsSec Store's login page to reach a restricted internal OAuth callback endpoint.
-
Broken Object Level Authorization: Accessing Private Wishlists
A BOLA vulnerability in OopsSec Store's wishlist API lets any logged-in user read anyone else's private wishlist, including an admin one that contains the flag.
-
Broken Function Level Authorization: Hijacking the Live Stream
OopsSec Live hides the broadcast controls from non-admins in the UI, but the API never checks your role. Any logged-in customer can replace the live stream, exactly like the 2026 FIFA internal-systems hack.
-
Path Traversal: Escaping the Documents Directory via the Files API
Exploiting an unsanitized file path parameter in OopsSec Store's documents API to read files outside the intended directory and retrieve a flag.