Briarcliff Foundation
An applicant portal for a small humanities-focused grantmaking foundation. The applicant has a button to manage their own submission — and the endpoint behind it is a little too obliging.
The Scenario
Briarcliff Foundation has accepted humanities and historical-preservation proposals through the same Fluxx-style applicant portal since 2018. The withdraw-application control was added late in development to spare the committee from clearing dead applications, and it shares plumbing with the committee's own review tooling.
Challenge Intel
Synopsis
POST /api/applications/<id>/decision is a multi-step BFLA — it accepts any decision value (including "approve") from any authenticated session, including the applicant who owns the application.
What It Is
The applicant's "Withdraw application" button on /applications/<id> fires POST /api/applications/<id>/decision with {"decision":"withdraw","comment":""}. The same endpoint is what the review committee posts to with decision "approve" / "decline" / "defer". The server only checks (a) the requester is authenticated and (b) the application exists — it does not verify that the requester is on the review committee, nor that the requester does not own the application. The player registers, submits an application, intercepts the withdraw POST, swaps "withdraw" for "approve", replays, and reloads /applications/<id> — the Award reference number now renders the flag.
Who It's For
Players who have already cleared horizontal IDOR and want to see how the same family of bugs presents as vertical (broken function-level) authorization on a multi-step workflow.
Skills You'll Practice
- Recognising multi-step workflows where one step skips its access check
- Spotting broken function-level authorization (BFLA / OWASP A01)
- Replaying a POST body with a different free-form field value via Burp/curl
What You'll Gain
- Every step of a state machine needs its own access check, not just the entry point
- Free-form decision fields shared between roles are a structural BFLA risk
- The principle of least surprise: write a separate /withdraw endpoint instead of overloading /decision
Ready to hack Briarcliff Foundation?
This challenge is free. Sign up and start hacking.