Missing Function Level Access Control (2)

Relying on Obscurity

If you are relying on HTML, CSS or javascript to hide links that users don’t normally access. It’s a little older, but there was a case of a network router trying to protect (hide) admin functions with javascript in the UI https://www.wired.com/2009/10/routers-still-vulnerable

Finding Hidden Items

There are usually hints to finding functionality the UI does not openly expose in …​

  • HTML or javascript comments

  • Commented out elements

  • Items hidden via css controls/classes

Your Mission

Find two menu items not visible in menu below that are or would be of interest to an attacker/malicious user and put the labels for those menu items (there are no links right now in the menus).


💡 You can inspect the DOM or review the source in the proxy request/response cycle. 💡 Look for indications of something that would not be available to a typical user 💡 Look for something a super-user or administator might have available to them

  • Right-click on the Log Out element, and click on Inspect Element

  • Just below in the HTML, we can see hidden fields: Users, Config.

Last updated