Broken Access Control via Replay Attack

How a simple replay trick bypasses permission checks on a popular project management platform

0xJad

~2 min read · April 12, 2026 (Updated: April 12, 2026) · Free: Yes

So I was poking around on a target, lets call it Monday.com, doing my usual bug bounty thing, and I stumbled into something really interesting.

The Setup

This platform has a feature where admins can create "action buttons", think of them like little shortcuts that do stuff for you automatically.

There's a permission toggle that controls whether other members can use these buttons. When the admin enables it, everyone can see and use them. Cool.

When the admin disables it, the button disappears from everyone else's view. Makes sense, right? Permission revoked, button gone, problem solved.

Except… not really.

What Actually Happens

Here's where it gets interesting. The button disappears from the UI, sure. You can't see it anymore. But the backend doesn't actually care. It never got the memo that you're not supposed to use it anymore.

So if you captured the HTTP request from when you clicked that button earlier, maybe with Burp Suite or even just your browser's dev tools, you can just replay it. Send the exact same request again. And it works. The action button fires like nothing ever changed.

The frontend said "no." The backend said "yeah sure, go ahead."

Steps to Reproduce

Log in as the admin. Create an action button. Enable the permission that lets other members use it.
Switch to another member's account. You'll see the button. Click it. It works. While you're at it, grab that HTTP request, save it somewhere.
Go back to the admin's account. Disable that same permission.
Check the other member's dashboard again. The button is gone. Vanished. You can't see it or click it anymore.
Now replay that saved request. Send it. Watch it succeed. The action runs as if nothing changed.

That's it. That's the whole bug.

Why This Matters

The app is checking permissions on the frontend but not on the backend. It's like locking the front door but leaving the back window wide open.

The Takeaway

Frontend checks are not security. They're decoration. If your server doesn't validate permissions on every single request, someone with a proxy tool and five minutes of free time can walk right past your shiny UI restrictions.

If you enjoyed this write-up, please give it a clap and follow me. Feel free to reach out. I'm always happy to chat about breaking things (responsibly).

#cybersecurity #bug-bounty #hacking #ethical-hacking #bug-bounty-writeup