Identity & Access Compromise Initiative
Client-side controls are not security. Bypass the disabled button.
Default credentials are the easiest way in.
Trick the database into ignoring the password check.
Tamper with the cookie to elevate your role.
Change the ID parameter to view another user.
Manipulate hidden form fields.
Find the hidden admin URL.
Decode the token payload to find secrets.
Read system files by escaping the web root.
Identify the active account that should be disabled.
Manipulate the server response to skip 2FA.
Steal the token from the URL fragment.
Decode the XML assertion to find the secret.