STRIDE IT
S: 0/3 Total: 0/18

S — Spoofing

Spoofing is about faking an identity. This page shows how easy it is when a system trusts the browser.

6 Wrong signal - next step -> /t/index.html -> .js
Identity “Who are you?” Client can lie → verify server-side

What it means

Spoofing happens when an attacker can act as someone else—by faking a username, stealing a session, or bypassing how identity is verified.

Why it matters

If identity can be faked, every action after that becomes untrustworthy: access control, approvals, and audit trails all collapse.

How to mitigate

Don’t trust identity coming from the browser. Validate sessions and permissions server-side, and use strong authentication where it matters.

Message Tool

Not solved

Did you know that readonly makes a field uneditable... it would be a shame if it got removed Mission hint: Send a message from someone other than alice (DevTools)

Email Viewer

The sender shown below is not the real sender. Inspect the element and find the real sender.

Not solved
From
CEO <ceo@company.com>
Subject
Urgent: approve payment
Message
Hey, can you approve the transfer ASAP? I’m in a meeting.
Mission hint: Right-click this card → Inspect → look for data-real-sender.

Website Check

This “secure” link is spoofed. Your mission: find the real destination domain. Whitelisted (safe) domain is: https://secure-bank.example

Not solved
Order Confirmation

Thank you for your recent purchase. Your payment has been processed successfully and your order is now being prepared.

If you need to review your invoice or update your delivery details, please visit your secure customer portal below.

https://secure-bank.example