๐Ÿ”ฌ ATLAS SECURITY LAB

Lab Vulnerabilities

Stored XSS in Posts
Post body renders innerHTML โ€” try <script>alert(document.cookie)</script>
CSRF on Share/Like
POST /api/share?post_id=X โ€” no CSRF token required
IDOR on Profiles
GET /api/users/[ID] โ€” change ID to enumerate users
GraphQL Introspection
POST /graphql โ€” __schema exposed, no auth required

ุชูˆุงุตู„ ู…ุน ุงู„ุฃุตุฏู‚ุงุก ูˆุงู„ุนุงู„ู… ู…ู† ุญูˆู„ูƒ ุนู„ู‰ ููŠุณุจูˆูƒ.

ุฃู†ุดุฆ ุตูุญุฉ ู„ู„ู…ุดู‡ูˆุฑ ุฃูˆ ุงู„ุนู„ุงู…ุฉ ุงู„ุชุฌุงุฑูŠุฉ ุฃูˆ ุงู„ู†ุดุงุท ุงู„ุชุฌุงุฑูŠ.
๐Ÿ”ฌ LAB ACCOUNTS
atlas.security / fb123
victim.fb1 / password1
fb.admin / admin2024
Token in localStorage โ€” session exposed
ุงู„ุนุฑุจูŠุฉEnglish (UK)FranรงaisEspaรฑolPortuguรชs+
ุชุณุฌูŠู„ุชุณุฌูŠู„ ุงู„ุฏุฎูˆู„MessengerFacebook LiteููŠุฏูŠูˆุฃู…ุงูƒู†ุฃู„ุนุงุจMarketplaceMeta PayMeta StoreMeta Quest
Meta ยฉ 2026
๐Ÿ‘ค