Like usually, I was working on a new fresh target. My goal wasn't to hack it right away — I first wanted to understand every function, every button, every hidden feature. Who could invite whom. What free users saw versus premium ones.
I clicked around for a while. Profile settings, billing page, team dashboard.
One feature caught my eye : Invite Member to Team .
I clicked the button.
A popup appeared :
"Only Premium users can add members to their team."
Fair enough. I almost moved on.
But something felt off. The popup was clean, fast, no page reload. That meant the restriction was likely front‑end only.
What I checked next
I opened the browser's developer tools. Network tab.
Clicked the "Invite Member" button again.
Nothing in the network log. Just a JavaScript popup. No request to the server.That confirmed my suspicion: the check was client‑side.
So I asked myself : what if I go directly to the invite page?
The bypass
I typed this into the address bar :
/team/inviteNot /user/team – just /team/invite.
The page loaded.
No popup. No "Premium required". Just a full invitation form.
I entered an email address. Clicked "Send Invite".
The invitation was sent : ↓
Why this happened
The developer made two mistakes :
- Front‑end validation only — The popup was just a JavaScript alert. It blocked the button, but the endpoint itself had no protection.
2. No server‑side tier check — When I called /team/invite, the backend never verified if my account had premium access.
Impact
- Free users can invite team members without paying .
- Business logic bypass — potential revenue loss .
- All because one endpoint trusted the client to behave .
Key takeaway for you :
Never trust front‑end restrictions .
A grayed‑out button, a popup, a disabled field — none of these are security controls. They're UI hints .
Always check :
- Is the endpoint accessible directly?
- Does the server re‑validate permissions?
- Can I bypass the UI by crafting my own request?
Now go test those "blocked" features. You might be surprised what you find.