Vulnerability A7 Missing Function Level Access Control Description:



For almost all levels I will be using Burpsuite. Burpsuite is an interception proxy that lets us modify the HTTP request / response by intercepting the data between the browser and the web server.

Let’s see the request in Burpsuite.

GET /ctf2/exercises/ex5.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=gdc668pjmpah42hegt7sa7igc3
Connection: keep-alive

Hm, no special Cookies, no function parameters. Let’s take a look at the source.

<p class="lead">You are not logged in. Please <a class="btn btn-sm btn-info" disabled href="login.html">login</a> to access this page.</p>

The button to login is disabled. Let’s delete the ‘disabled’ attribute and maybe find something there. Right-Click on the login button -> InspectElement. However the link is bogus, it returns 404 not found.


The instructions state that this page is only viewable by logged in users. How can we simulate that we are coming from a page within an logged in account? Using the Referer HTTP header of course. Lets refresh the page and modify the request using Burp.


Inserting Referer HTTP header with value “” circumvents the Access Control that we are coming from a page that’s already within a logged in account.