
BtSCTF 2026: Pokecollector Writeup — IDOR Through a Self-Issuing JWT
Platform BreakTheSyntax CTF 2026 Difficulty Easy OS Web Tags IDOR, JWT, OWASP API1:2023 Broken Object Level Authorization Pokecollector is the kind of web challenge that sits right inside the OWASP API Top 10’s number one slot — API1:2023 Broken Object Level Authorization. The application enforces its access rules in the UI and forgets to enforce them on the API. The fix is a single server-side validation; the cost of missing it is a leaked flag. ...
