Step 1: Register
Register for an account. Whilst in this lab there was nothing overly unusual about the registration process, be on the lookout anyway, just in case you spot anything.
Step 2: Identifying endpoints
After browsing around, I realised that after looking through the front-end, there were some api calls not being made. So I decided to investigate. The first one I checked was /api/admin/users, which I found via JS recon buddy extension:
This returned all current users in the app, which struck me as interesting, because this was an ‘admin’ endpoint and my role was ‘user’ as you can see below:
This looks like the vector is broken access control. But the flag isn’t in this endpoint.
Step 3: Testing for other endpoints
If you try to access these api endpoints in the browser directly, you get an error about a token. I switched over to firefox after this because I can just edit and re-send in there (you can in burp too, but I like just using the browser unless it’s necessary to go into burpsuite).
/api/admin/flag was listed. Presumably this wouldn’t need auth either?
Jumping over into firefox, logging in and calling the endpoint via dev console’s network tab allowed me to take an existing request utilising my “user” session token and granted me access to an admin endpoint, confirmng there was indeed broken access control:
Thanks for reading!
