Trusting Client Headers

Header Spoofing • Beginner

HTTP Headers
Secure Mode• show fix Session• Cookie Recruiter• Mode

Objective: Gain access to admin-only features.

Try: Add or modify a privileged request header.

🛂 Design: This page looks official—but can the server prove you’re allowed?
Everything here is simulated and sandboxed to this site—no real accounts, no real services.
Demo How it works Issue Exploit Fix Video

1) Demo

Here is the feature “working” as implemented in this mode.

App Output
Permission Ladder: your request claims a role. The server decides whether to trust it.
Role Evaluation
▶ Free Premium Admin

In this mode, server used: X-Admin

Result

Access Denied. You are not authorized.

Response
Status: 403 Forbidden Response Headers: (none)

2) How the code works

This section shows the mental model: what the server is “thinking”.

if (request.headers["X-Admin"] !== "true") return 403; return adminPanel();

3) The issue

Headers are client-controlled. Attackers can set any header they want.

Real-world impact: If headers decide privileges, anyone can self-promote to admin.

4) Exploit it

Edit the raw request below. You can change method, path/query, headers, and body. Then send it. The server will parse what you typed and re-run the simulation.

Request Editor
Tip: For secure mode tests, add a cookie like: Cookie: session=1; role=Admin
Parsed View (what the server read)
method: GET path: /admin headers: host: kylerburke.dev x-admin: false body: (empty)

Exploit Editor Hidden (Recruiter Mode)

This mode is designed for sharing your portfolio. It focuses on clear explanation, real-world impact, and fixes—without interactive exploitation.

Want to demo the exploit? Turn Recruiter Mode off and use the Request Editor.

5) Fix

Secure Mode shows the fix behavior. Flip modes and send the same request.

Use signed sessions/JWTs; verify identity and roles server-side.

Video

Short visual explanation to match what you just did.

Swap the YouTube ID in the Worker to pick a different explainer video for this vulnerability.