Attack Type
Login as User
GET
http://api.techcorp.in/api/
Authorization: — not logged in —
Request Headers
Body
Response Headers
// Login first to populate headers
// Send a request to see the response
Defender
Attack Log 0
Authorization Controls
Object Ownership Check
Verify user owns the resource
Role-Based Access
Admin/manager routes protected
Mass Assignment
Field Allowlist
Block role/balance writes
Rate Limiting
Request Rate Limit
5 req/10s per token
Auto Lockout
Block after limit breach
Current Status
⚠ All defenses OFF — app is fully vulnerable. Toggle controls above to fix.
QUICK EXPLOITS
IDOR Sweep
Mass Assign
Rate Flood
Admin Esc.

🧠 GAMKERS AI Mentor

🔐 Connect AI Mentor

Get real-time hints and guidance while you hack.
Your API key is only used for this session — never stored.

🔒 Key stays in memory only. Cleared on refresh.