[Access Control] Lab 4: Unprotected admin functionality with unpredictable URL

April 26, 2024

[Access Control] Lab 4: Unprotected admin functionality with unpredictable URL

Lab 4: Unprotected admin functionality with unpredictable URL

different techniques can be used to obfuscate certain sensitive functional pages such as using complex URLS making it difficult to brute force, for example using JS to check if a user is authenticated as a privileged user to determine whether or not the should add the admin page button to the UI.

Well from that we can get the URL from the Internal JavaScript to be able to change get the URL of the admin page.

on going to the site web can see a few different buttons, first this i want to do is ctrl+u to view the Raw content of the site

Asoon as we hit ctrl+u we can see that the Internal java script that is doing the checking to determine whether or not to display the admin page button to the UI is at bottom of the raw HTML Doc.

after taking a closer look:

We can get the path to the admin page.

Good bye carlos!

Search This Blog

Michael.N Cyber Security Blog

[Access Control] Lab 4: Unprotected admin functionality with unpredictable URL

Popular Posts

HackTheBox-"Lame" [WRITE-UP] {EASY}

HackTheBox- “Blue” [Write-Up] {EASY}