Login
ChallengesLearn
Scoreboard
Teams
Profile

Preferences

Truesapiens

LearnAccess ControlAccess Control Review & Practice
Access Control·Lesson 12 of 12

Access Control Review & Practice

A curated set of progressively harder access-control challenges. IDOR, path traversal, privilege escalation, mass assignment, JWT — no hand-holding. The AC course final.

Intermediate22 min
Access ControlReviewPractice
Loading lesson…
PreviousAccess Control Case Studies

© 2026 Truesapiens.

Terms of ServicePrivacy PolicyCookie Policy

This final lesson presents a curated set of progressively harder access-control challenges drawn from the techniques covered in this course: IDOR, path traversal, privilege escalation, mass assignment, JWT attacks, and CSRF. Each challenge provides a target description, a code snippet hint, and a payload entry field. The goal is to craft the correct exploit payload that demonstrates the vulnerability.

What you'll be able to do
  • Apply IDOR, path traversal, JWT, and CSRF attack techniques to realistic scenarios.
  • Read a code snippet to identify the missing access control.
  • Craft a payload that exploits the vulnerability without destroying the target.
  • Explain why each attack works at the code level.
Key terms
Challenge range
A set of progressively harder exercises that test the attacker's ability to identify and exploit specific vulnerability classes.
Exploit payload
The crafted input that triggers the vulnerability. In these challenges, it may be a parameter value, a request body, a cookie, or a JWT token.
SameSite bypass
A technique to bypass CSRF protections when SameSite cookies are used — typically by exploiting subdomains, timing windows, or fallback behaviours in older browsers.
What is it?

Five challenges, escalating difficulty

Each challenge simulates a real application endpoint with a missing access control. You are given the application code (or a relevant snippet), a description of the target, and a prompt to craft the exploit payload. Challenges progress from simple parameter manipulation to multi-step attacks combining JWT confusion with CSRF.

stagingctf-platform.io/ac-challenges/c1
ctf-platform
Solved
0 / 4

Pick a challenge, craft the exploit payload, and press Submit. The key tokens in your payload must match the canonical answer.

Challenges
Context

You are logged in as user_id=3. The profile endpoint returns any profile by ID. Craft the request to read another user's data.

Code snippet
app.get('/api/profile/:id', async (req, res) => {
  const profile = await db.query(
    'SELECT * FROM profiles WHERE id = $1',
    [req.params.id],
  );
  res.json(profile.rows[0]);
});
Your payload

Hint: Change the user_id parameter to a different value. Try /api/profile/1 or /api/profile/2.

Real-world relevance

Why these five scenarios matter

The five challenge classes appear in multiple OWASP Top 10 entries and account for the majority of access-control bug bounty submissions:

  • IDOR— the most common access control bug. Changing a user_id in a profile endpoint to access another user's data.
  • Path traversal — injection of ../ sequences to read arbitrary server files, the core of the Capital One breach.
  • JWT alg=none — a server misconfiguration that accepts unsigned tokens, allowing arbitrary identity forgery.
  • CSRF with SameSite bypass — circumventing SameSite cookies via subdomain-level attacks or method override tricks.

Mastering these five scenarios means you can recognise the majority of access-control vulnerabilities you will encounter in the wild — and you know how to fix each one.

Mitigation

How to fix each challenge

javascriptfixes
// CHALLENGE 1: IDOR — add ownership check
app.get('/api/profile/:id', async (req, res) => {
  const profile = await db.query(
    'SELECT * FROM profiles WHERE id = $1 AND user_id = $2',
    [req.params.id, req.session.userId],
  );
  if (!profile.rows[0]) return res.status(403).end();
  res.json(profile.rows[0]);
});

// CHALLENGE 2: Path traversal — canonicalise
const requested = path.resolve('/var/www/uploads', req.params.file);
if (!requested.startsWith('/var/www/uploads')) {
  return res.status(403).end();
}

// CHALLENGE 3: JWT alg=none — enforce algorithm whitelist
jwt.verify(token, secret, { algorithms: ['HS256'] });

// CHALLENGE 4: CSRF — use anti-forgery token + SameSite=Strict
app.post('/api/transfer', csrfProtection, (req, res) => { ... });
Further reading
  • OWASP Top 10 — A01:2021 Broken Access Control(OWASP)
  • JWT Handbook — alg=none Attack(Auth0)
  • PortSwigger — CSRF with SameSite Bypass(PortSwigger)
Key takeaways

What to remember

  • IDOR is the most common access control bug — always verify ownership server-side.
  • Path traversal is prevented by canonicalisation, not by blocking specific strings.
  • JWT libraries default to lenient algorithm validation — always whitelist accepted algorithms.
  • CSRF protection requires multiple layers: anti-forgery tokens, SameSite cookies, and custom headers.
  • Every access-control vulnerability shares the same root cause: the server trusts client-supplied input without verifying permission.

Knowledge check

0/3 answered · 0 correct

  1. 1.An API endpoint reads /var/www/files/ + req.params.filename. What is the vulnerability?

  2. 2.A JWT library accepts tokens with an alg header value of "none". What does the attacker gain?

  3. 3.Which defence prevents CSRF when an attacker hosts a form on their own site that submits to your application?