Javascript

A vacation request portal hid an admin-only approve endpoint behind a UI button but left it open on the server. Reading the client-side JavaScript revealed the unexposed API action and calling it directly self-approved the request.

Client-side password validation with per-character SHA-512 hashing. The password was recoverable by brute-forcing each character independently against the hash array exposed in the page source.