What is Failure to Restrict URL Access Vulnerability/Threat?
Failure to restrict URL access occurs in applications hide functionality from non-privileged users. In an application that fails to restrict URL access, administration links are only put onto the page if the user is an administrator. However, if non-privileged users discover the administration page’s address, they can still access it via URL access.
Preventing unauthorized URL access requires selecting an approach for requiring proper authentication and proper authorization for each page. The easier the authentication is to include in a page the more likely that all pages will be covered by the policy.
With that said let’s try and complete this round of the game. We are presented with this page.
If we look closer at the page we can see the words “web page” highlighted.
When we hover over the words our mouse icon changes to a choose option, but clicking it doesn’t bring us anywhere. So we need to check out the source code. If you right click on the words and choose ‘Inspect Element’, this will open up our developer tools.
Above we see the HTML tags and elements and there is not much we can do with the highlighted text. But if we look at the code underneath it we can see the HTML ‘style=””display: none”‘. If we change that word ‘none’ with the word ‘text’ can we then see what is being hidden?
Now, hit enter and close the developer tool and what do we see?
We have loaded the ‘Administrators Result Page’ to the web page by changing the code. So now we can just click on the highlighted part to bring us to the solution key.
Enter the key and hit submit et voilá. Success.
Thanks for reading.