A1:2021 | Missing Function Level Access Control (2) | Cycubix Docs
PreviousA1:2021 | Missing Function Level Access Control (1) | Cycubix DocsNextA1:2021 | Missing Function Level Access Control (3) | Cycubix Docs
Last updated
Was this helpful?
Last updated
Was this helpful?
Relying on Obscurity
If you are relying on HTML, CSS or javascript to hide links that users don’t normally access. It’s a little older, but there was a case of a network router trying to protect (hide) admin functions with javascript in the UI https://www.wired.com/2009/10/routers-still-vulnerable
There are usually hints to finding functionality the UI (User Interface) does not openly expose in:
HTML or javascript comments.
Commented out elements.
Items hidden via css controls/classes.
Find two menu items not visible in menu below that are or would be of interest to an attacker/malicious user and put the labels for those menu items (there are no links right now in the menus).
The following capture will show you what the user can see:
Open the developer tools and go to Inspect Element.
Look for indications of something that would not be available to a typical user. Such as:
Type "Users" and "Config" in the responses.
Don't forget the urls for the upcoming lab!
