Welcome to Cycubix Docs

Welcome to Cycubix Docs
Our Cybersecurity Training Courses
Application Security Series
- Web Application Security Essentials
ISC2 Courses
AWS Courses
- AWS Certified Security – Specialty (SCS-C02)
Crowdstrike
- Troubleshooting Mac Devices
  - Mac sensors on macOS Ventura may fail to remove Falcon.app when uninstalling
  - System Extensions not activated
Jamf
- Jamf Protect

Powered by GitBook

On this page

Was this helpful?

Application Security Series

Web Application Security Essentials

WebGoat Labs | Web Application Security Essentials | Cycubix Docs

A1:2021 | Broken Access Control | Cycubix Docs

A1:2021 | Insecure Direct Object Reference | Cycubix Docs

A1:2021 | Insecure Direct Object Reference (3) | Cycubix Docs

PreviousA1:2021 | Insecure Direct Object Reference (2) | Cycubix Docs NextA1:2021 | Insecure Direct Object Reference (4) | Cycubix Docs

Last updated 11 months ago

Was this helpful?

Observing Differences & Behaviors

A consistent principle from the offensive side of AppSec is to view differences from the raw response to what is visible. In other words (as you may have already noted in the client-side filtering lesson), there is often data in the raw response that doesn’t show up on the screen/page.

Solution

Developer Tools

Open the developer tools to see the HTTP request.

What data that shows up on the screen is also in the network information?.
Look for profile tab and see which fields are not visible in the profile. Submit your answer.

ZAP

Select view profile on the corresponding page of WebGoat.
Intercept the request with ZAP, and open the request in the Manual Request Editor. Send the request and check the response. You will be able to see the hidden items.

Type your request "role" and "userid" in WebGoat.