Behind the Curtain

The true story of the "Access Denied" initiative.

THE STORY

The "Access Denied" initiative was created for a simple reason: while platforms like Firebase Firebase, Appwrite Appwrite, and Supabase Supabase have made it incredibly easy for students at STEM Assiut STEM School to build out complex club websites and personal projects, they also come with a hidden cost.

Because these Backend-as-a-Service tools hide traditional server logic, it is remarkably easy to accidentally expose your entire database to the public, or allow any user to pretend to be an administrator. We've seen critical vulnerabilities in almost every student project we reviewed—flaws that allow attackers to steal all user info or wipe the database completely.

THE PURPOSE

We believe the best way to learn how to fix these vulnerabilities is to experience exploiting them firsthand. This CTF (Capture The Flag) is an educational playground. Every challenge simulates a real, plausible logic flaw or misconfiguration that we have actually seen in the wild.

No real systems are harmed, and no actual data is at risk. Your goal is simply to learn how external attackers think, so you can secure your own projects against them. You will use free tools—like Postman, Chrome Dev Tools, Fiddler, or the terminal—to bend the server to your will.

Read the Rules