Login
ChallengesLearn
Scoreboard
Teams
SPNZ

LearnAccess Control
Course

Access Control

When the server trusts the client to say who they are. IDOR, privilege escalation, path traversal — the missing check that leaks everything.

12 lessons163 min total

Curriculum

12 parts in 5 phases
Foundation4 lessons · 44 min
fundLesson 1Beginner

IDOR: The Missing Check

Insecure Direct Object Reference — when the server trusts the client-supplied identifier without verifying ownership. Change one number, see someone else data.

Access ControlIDORWeb
10 min
fundLesson 2Beginner

Path Traversal

Dot-dot-slash and the fight over file boundaries. When an application resolves user-supplied filenames without validation, the filesystem becomes the attack surface.

Access ControlPath TraversalWeb
10 min
fundLesson 3Intermediate

Privilege Escalation

Horizontal: see another user data. Vertical: become an admin. Both happen when the server trusts a client-supplied role flag or fails to enforce per-action checks.

Access ControlPrivEscWeb
12 min
fundLesson 6Intermediate

API Access Control

REST endpoints, GraphQL queries, and the missing auth check that leaks data through every field resolver. Why API access control is harder than page-level auth.

Access ControlAPIGraphQL
12 min
Offense · Core techniques3 lessons · 37 min
coreLesson 4Intermediate

Mass Assignment

The framework binds every field in the request body to a model attribute. Send role=admin in the JSON payload and the model writes it — no explicit code required.

Access ControlMass AssignmentWeb
10 min
coreLesson 7Intermediate

JWT Attacks

alg=none, RS256-to-HS256 confusion, kid injection, weak secret brute-force. The stateless token that lets an attacker forge any identity if the server misconfigures validation.

Access ControlJWTAuth
14 min
coreLesson 8Intermediate

CSRF

Cross-Site Request Forgery — the browser sends the cookie automatically. An img tag on a forum triggers a password change on a bank the victim left open in another tab.

Access ControlCSRFWeb
13 min
Offense · Deep extraction1 lesson · 14 min
deepLesson 9Advanced

Rate Limit & Auth Bypass

IP rotation, X-Forwarded-For spoofing, race conditions, distributed brute-force. When the only defence between an attacker and every account is a Redis counter, the attacker has options.

Access ControlRate LimitBypass
14 min
Discovery & Defense2 lessons · 28 min
defLesson 5Intermediate

Access Control Hardening

Server-side ownership checks, deny-by-default, centralised gate functions, and the audit query that finds every missing check before an attacker does.

Access ControlHardeningRBAC
14 min
defLesson 10Intermediate

Session Management

Cookies, session tokens, secure flags, rotation after login. How servers bind an authenticated user to a browser — and how session fixation, predictable tokens, and missing HttpOnly break that binding.

Access ControlSessionCookies
14 min
Real-world & Review2 lessons · 40 min
capsLesson 11Intermediate

Access Control Case Studies

GitLab (2021) — GraphQL IDOR leaked private projects. Facebook (2018) — View As broke access boundaries. Capital One (2019) — SSRF + path traversal. The root cause in every case: a missing server-side check.

Access ControlHistoryBreaches
18 min
capsLesson 12Intermediate

Access Control Review & Practice

A curated set of progressively harder access-control challenges. IDOR, path traversal, privilege escalation, mass assignment, JWT — no hand-holding. The AC course final.

Access ControlReviewPractice
22 min

© 2026 SPNZ.

Terms of ServicePrivacy PolicyCookie Policy