A1:2021 | Missing Function Level Access Control (2) | Cycubix Docs
Relying on Obscurity
If you are relying on HTML, CSS or javascript to hide links that users don’t normally access. It’s a little older, but there was a case of a network router trying to protect (hide) admin functions with javascript in the UI https://www.wired.com/2009/10/routers-still-vulnerable
Finding Hidden Items
There are usually hints to finding functionality the UI (User Interface) does not openly expose in:
HTML or javascript comments.
Commented out elements.
Items hidden via css controls/classes.
Your Mission
Find two menu items not visible in menu below that are or would be of interest to an attacker/malicious user and put the labels for those menu items (there are no links right now in the menus).
The following capture will show you what the user can see:
Open the developer tools and go to Inspect Element.
Look for indications of something that would not be available to a typical user. Such as:
Type "Users" and "Config" in the responses.
Don't forget the urls for the upcoming lab!
Last updated