PLAYER: player1 | XP: 500 | LEVEL: 4

MISSION 1 — URL PARAMETER MANIPULATION (BROKEN ACCESS CONTROL)

Real-World Scenario:

Many websites use URL parameters to decide what content to show. For example:

example.com/profile.php?user=123

This might load a specific user's profile from the database.

The Problem:

If the application does NOT properly validate or restrict this input, a user could simply change the value in the URL to access something they shouldn't.

Example attack:

?user=124 → view another user's profile ?page=admin → access admin panel

Why this is dangerous:

Users can manipulate application behavior
Hidden or restricted pages can be accessed
No authentication or authorization checks are enforced

Industry Reference:

This issue falls under Broken Access Control in the OWASP Top 10.

Learn more: OWASP Top 10

Start Simulation