Client-Side Role Bypass Lab

Level 1 Client-Side Security simulation: learn why trusting role state stored in the browser creates insecure privilege boundaries.

Beginner

Client-Side Security • 20 min

This lab is a controlled simulation only. No real backend or dangerous code execution is used.

Objective 1

Review a fake user object where the current role is stored entirely on the client side.

Objective 2

Change the role value to show how easy browser-side privilege state is to manipulate.

Objective 3

Understand why backend permission checks must enforce every real authorization decision.

Use the input fields below to safely simulate the vulnerable behavior.

Modified Client Role

Fake User Object

const currentUser = { name: "demo", role: "user" }; UI state: privileged controls hidden Submitted role: (none yet)

Review the fake user object and enter a role value that bypasses the client-side privilege check in this simulation.

Reveal them progressively if you get stuck.

Click the hint button to reveal progressive guidance.