July 5, 2026
Fool’s Mate — Breaking Client-Side Validation
A Web Security Walkthrough on Request Manipulation

By Chetan Pujari
3 min read
Challenge Name:_ Fool's Mate Category: Web Security / Client-Side Validation Difficulty: Beginner–Intermediate_
URL ROOM : https://tryhackme.com/room/foolsmate
Introduction
While solving the Fool's Mate challenge, I was presented with a web-based chess application hosted on a target IP address. At first glance, it looked like a simple chess endgame trainer where the objective was to play a single winning move.
However, after making the correct move, something interesting happened.
Instead of the server accepting the move and revealing the reward, the application displayed a warning dialog claiming it would shut down my PC if I played that move. This immediately suggested that the restriction was happening inside the browser, not on the backend.
That observation completely changed my approach.
Initial Recon
The challenge provided a web application accessible through an IP address.
The interface contained:
- A chessboard
- A "White to move" indicator
- A move list
- A reset button
The board clearly represented a mate-in-one puzzle.
Initial View
Playing the Correct Move
After analyzing the position, I played the winning move.
Instead of receiving success, a popup appeared saying:
"I'll shut down your PC if you play that."
This looked intimidating, but from a security perspective it raised an important question:
Was this validation happening on the client or on the server?
Warning Popup
Looking Behind the Scenes
To verify my assumption, I intercepted the HTTP traffic using Burp Suite.
When making a move, the application sent a POST request similar to:
POST /api/move HTTP/1.1
{
"from":"a1",
"to":"a8"
}POST /api/move HTTP/1.1
{
"from":"a1",
"to":"a8"
}The important observation was that the browser displayed the warning before trusting the server response.
This strongly suggested that the application relied on client-side JavaScript to block the move.
Client-side validation should never be treated as a security mechanism because users fully control their browsers and can modify requests before they reach the server.
Request Manipulation
Instead of relying on what the browser allowed, I intercepted the request in Burp Suite and manually modified the JSON payload.
The manipulated request was forwarded directly to the server.
Since the backend never rejected the move, it processed the request successfully.
Server Response
The server responded with:
- Status: checkmate
- Winner: white
- Most importantly…
It returned the flag inside the JSON response.
Burp Suite Response
The response clearly confirmed that the backend accepted the move and considered it valid.
Root Cause
The vulnerability existed because the application trusted client-side validation instead of enforcing the same logic on the server.
The workflow looked like this:
User plays move
│
▼
JavaScript blocks move
│
▼
User intercepts request
│
▼
Modified request reaches server
│
▼
Server accepts move
│
▼
Flag returnedUser plays move
│
▼
JavaScript blocks move
│
▼
User intercepts request
│
▼
Modified request reaches server
│
▼
Server accepts move
│
▼
Flag returnedThe browser attempted to prevent the move, but the backend had no corresponding validation.
As a result, anyone capable of intercepting HTTP traffic could bypass the restriction.
Why This Matters
One of the most common mistakes in web application security is assuming that users will always interact with the application through the intended interface.
In reality, attackers can:
- Modify HTTP requests
- Remove JavaScript validation
- Replay requests
- Change parameters
- Automate interactions
Because of this, every security decision must be enforced on the server.
Client-side checks should exist only to improve user experience — not to protect sensitive functionality.
Key Takeaways
During this challenge, the biggest lesson wasn't about chess — it was about web security fundamentals.
- Never trust client-side validation.
- Always inspect network traffic when application behavior seems unusual.
- If something is blocked only in the browser, verify whether the server actually enforces the same rule.
- Request manipulation remains one of the simplest yet most effective techniques during web application testing.
- Burp Suite is invaluable for understanding how frontend applications communicate with backend APIs.
Conclusion
The Fool's Mate challenge is a great demonstration of why client-side controls are not security controls.
A simple browser warning attempted to prevent users from making the winning move, but because the backend failed to validate the request independently, intercepting and modifying the HTTP request was enough to bypass the restriction and retrieve the flag.
Sometimes the most valuable clue isn't hidden deep inside the application it's recognizing where the validation is happening. Once I confirmed that the restriction existed only in the client, the solution became straightforward: intercept the request, manipulate the data, forward it to the server, and let the backend reveal the flag.
Thanks for reading! If you enjoyed this walkthrough, feel free to follow for more write-ups on CTF challenges, web exploitation, API testing, and practical cybersecurity techniques.