A hidden administrative scoreboard is accessible without proper authorisation. Attackers can access this page to view sensitive administrative features and debug information.
Directly browse to /score-board on the Juice Shop site.
The scoreboard page loads without requiring authentication or elevated privileges.
Observe that you can view administrative challenges and progress information.
Unauthorised access to admin‑only functionality or hints.
Potential leakage of secret flags or internal challenge descriptions.
Insight into security challenges that could aid further exploitation.
Implement role‑based access control (RBAC) to restrict scoreboard access to authorised users.
Hide or remove administrative routes from publicly accessible navigation.
Audit all endpoints to ensure proper authentication and authorisation checks.