PLAYER: player1 | XP: 500 | LEVEL: 4
👤 LIVE PROFILE SYSTEM
Current Profile ID: 1
👤 USER PROFILE LOADED
Name: Alice
Role: Standard User
Email: alice@demo.com
Name: Alice
Role: Standard User
Email: alice@demo.com
Try this attack technique:
- Change the ID in the URL manually
- Example:
?m=m4&step=2&id=2 - Observe how data changes without login checks
What this demonstrates:
- No authorization check on object access
- Users can access other users' data
- ID values should NOT be trusted