Note

web logic-bug hidden-parameters api authorization

Trigger hidden enum values or unsupported modes that remain fully implemented server-side even though the UI hides them.

Undocumented Mode / API Behavior through Simple Parameter Changes

The frontend is not the specification. Hidden enum values or unsupported modes often remain fully implemented server-side.

Why It Works

The client only exposes a subset of accepted values; the server still honors the rest, sometimes with different authorization or reward logic.

Vulnerable Pattern

Games, workflows, or dashboards where the client sends a mode/state field but exposes only one or two choices.

Exploit Flow

Read bundled JS or API docs to enumerate accepted values.
Mutate enums, sizes, counts, and boolean flags directly at the API level.
Once a hidden mode works, inspect how authorization, win conditions, or reward logic differ there.

Variations

4x4 instead of 3x3, admin-only status values, larger board sizes, or hidden role names.

Common Blockers

Backend validates strictly after all — but checking is cheap and high-value.

PoC Sketch

curl -X POST https://target/api/new-game \
  -H 'Content-Type: application/json' -d '{"mode":"4x4"}'

Good Situations To Use It

The client sends a mode/state field with few visible options.
Bundled JS or docs hint at more values.
Server-side validation looks lenient.

Sources

ehaxctf2026/web/tictactoe