A1:2021 | Insecure Direct Object Reference (3) | Cycubix Docs

Observing Differences & Behaviors

A consistent principle from the offensive side of AppSec is to view differences from the raw response to what is visible. In other words (as you may have already noted in the client-side filtering lesson), there is often data in the raw response that doesn’t show up on the screen/page.


Developer Tools

  • Open the developer tools to see the HTTP request.

  • What data that shows up on the screen is also in the network information?.

  • Look for profile tab and see which fields are not visible in the profile. Submit your answer.


  • Select view profile on the corresponding page of WebGoat.

  • Intercept the request with ZAP, and open the request in the Manual Request Editor. Send the request and check the response. You will be able to see the hidden items.

  • Type your request "role" and "userid" in WebGoat.

Last updated