Vulnerability A7 Missing Function Level Access Control Description:
For almost all levels I will be using Burpsuite. Burpsuite is an interception proxy that lets us modify the HTTP request / response by intercepting the data between the browser and the web server.
Let’s see the request in Burpsuite.
Hm, no special Cookies, no function parameters. Let’s take a look at the source.
The button to login is disabled. Let’s delete the ‘disabled’ attribute and maybe find something there. Right-Click on the login button -> InspectElement. However the link is bogus, it returns 404 not found.
The instructions state that this page is only viewable by logged in users. How can we simulate that we are coming from a page within an logged in account? Using the Referer HTTP header of course. Lets refresh the page and modify the request using Burp.
Inserting Referer HTTP header with value “http://ctf.infosecinstitute.com/ctf2/exercises/login.html” circumvents the Access Control that we are coming from a page that’s already within a logged in account.