BugForge - Daily - Shady Oaks Finance (Repeat)
BugForge - Daily - Shady Oaks Finance (Repeat)
Daily - Shady Oaks Finance (Repeat)
This is a repeat of the daily challenge from January 2nd, 2026. fcad7e33de70c78c7994c9368f81f967d05f2e
Vulnerability Overview
This challenge demonstrates a broken access control vulnerability caused by insecure design. The application trusts client-supplied input to set sensitive user attributes, specifically the role parameter during an account upgrade process.
Key Issues:
- The application accepts a
roleparameter directly from the client during the upgrade request - No server-side validation or authorization checks are performed on the role value
- An attacker can intercept the upgrade request and change the role to
administrator - The backend blindly accepts the tampered value, granting administrative privileges
This represents a fundamental design flaw where authorization decisions are delegated to the client rather than being enforced server-side.
Vulnerabilities Covered
- Broken Access Control - Unauthorized privilege escalation through parameter manipulation
- Parameter Tampering - Modifying the
roleparameter in the upgrade request - Insecure Design - Trusting client input for security-critical role assignment
Classification
- OWASP Top 10: A01:2021 - Broken Access Control
- CWE: CWE-639 - Authorization Bypass Through User-Controlled Key
This post is licensed under CC BY 4.0 by the author.