A1:2021 | Missing Function Level Access Control (2) | Cycubix Docs

Relying on Obscurity

If you are relying on HTML, CSS or javascript to hide links that users don’t normally access. It’s a little older, but there was a case of a network router trying to protect (hide) admin functions with javascript in the UI https://www.wired.com/2009/10/routers-still-vulnerable

Finding Hidden Items

There are usually hints to finding functionality the UI (User Interface) does not openly expose in:

  • HTML or javascript comments.

  • Commented out elements.

  • Items hidden via css controls/classes.

Your Mission

Find two menu items not visible in menu below that are or would be of interest to an attacker/malicious user and put the labels for those menu items (there are no links right now in the menus).

The following capture will show you what the user can see:

  • Open the developer tools and go to Inspect Element.

  • Look for indications of something that would not be available to a typical user. Such as:

  • Type "Users" and "Config" in the responses.

Don't forget the urls for the upcoming lab!

Last updated