Client-Side Authorization

Client ≠ Server • Beginner

Trust Boundaries

Secure Mode• show fix Session• Cookie Recruiter• Mode

Objective: Unlock premium features without proper authorization.

Try: Toggle a client-controlled flag.

🔒 Design: If the lock lives in the client, the lock is fake.

Everything here is simulated and sandboxed to this site—no real accounts, no real services.

Demo How it works Issue Exploit Fix Video

1) Demo

Here is the feature “working” as implemented in this mode.

App Output

Dashboard View

Standard user view

Theme: This challenge is about “UI lies”. If the server doesn’t enforce it, the lock is fake.

Response

Status: 403 Forbidden Response Headers: (none)

2) How the code works

This section shows the mental model: what the server is “thinking”.

// client decides access if (url.admin === true) showAdminUI();

3) The issue

Client-side flags can be changed by users. The server must enforce authorization.

Real-world impact: Attackers toggle a boolean and unlock protected areas if the server doesn’t check.

4) Exploit it

Edit the raw request below. You can change method, path/query, headers, and body. Then send it. The server will parse what you typed and re-run the simulation.

Request Editor

Tip: For secure mode tests, add a cookie like: Cookie: session=1; role=Admin

Parsed View (what the server read)

method: GET path: /dashboard?admin=false headers: host: kylerburke.dev body: (empty)

Exploit Editor Hidden (Recruiter Mode)

This mode is designed for sharing your portfolio. It focuses on clear explanation, real-world impact, and fixes—without interactive exploitation.

Want to demo the exploit? Turn Recruiter Mode off and use the Request Editor.

5) Fix

Secure Mode shows the fix behavior. Flip modes and send the same request.

Always verify permissions on the server before returning sensitive data.

Video

Short visual explanation to match what you just did.

Swap the YouTube ID in the Worker to pick a different explainer video for this vulnerability.