BugForge Write-Up 2/28/2026

Updated: Mar 1

Hint: Can you edit comments?

Note:

If there is an admin account active for a lab, the credentials are admin:admin123

I launched Caido.
I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now.
I created a user account, and once logged in, the app appeared to behave a lot like InstaGram. I could send messages, "like" messages, etc. so I poked around a bit, trying to see everything I could do with the app in order to generate some traffic to view via the proxy. Following along with the @7s26simon write-up, I created a new comment:

"POST /api/posts/1/comments"

traffic, so I highlighted that line, then right-clicked and selected, "Send to Replay -> Default Collection":

Next, moving over to the Caido "Replay" tab, I hit the red "Send" button so that I would have a baseline of what the traffic "Response" looked like (that might create a duplicate comment).
Once again, following along with the @7s26simon write-up, still in the Caido "Replay" tab, inside the "Request" pane, I made a slight change to the first line and again hit the red "Send" button. That allowed me to view in the "Replay" "Response" pane, other users comments, ID's, etc. Below is the change I made:

POST /api/posts/1/comments HTTP/1.1

to:

GET /api/posts/1/comments HTTP/1.1

So next, recommended by @7s26simon as a next-step, I made another slight change to the first line and again hit the red "Send" button. The change effectively allowed me to takeover the Admin account's commenting. Below is the change I made: