Missing Function Level Access Control (2)

Relying on Obscurity

If you are relying on HTML, CSS or javascript to hide links that users don’t normally access. It’s a little older, but there was a case of a network router trying to protect (hide) admin functions with javascript in the UI https://www.wired.com/2009/10/routers-still-vulnerable

Finding Hidden Items

There are usually hints to finding functionality the UI does not openly expose in …

HTML or javascript comments
Commented out elements
Items hidden via css controls/classes

Your Mission

Find two menu items not visible in menu below that are or would be of interest to an attacker/malicious user and put the labels for those menu items (there are no links right now in the menus).

Solution

You can inspect the DOM or review the source in the proxy request/response cycle. Look for indications of something that would not be available to a typical user Look for something a super-user or administator might have available to them

Right-click on the Log Out element, and click on Inspect Element
Just below in the HTML, we can see hidden fields: Users, Config.

PreviousInsecure Direct Object Reference (5)NextMissing Function Level Access Control (3)

Last updated 3 years ago