Open navigation menu

Welcome to Scribd!

Lab 1-Unprotected Admin Functionality

Uploaded by

DODOXD Mekheimer

0% found this document useful (0 votes)

81 views3 pages

The document describes how a user exploited unprotected admin functionality on a website. They were able to edit the GET request to access the administrator panel where they should not have access. Once in the admin panel, the user was able to delete another user named Carlos, demonstrating the security risk of including sensitive data in GET/POST/PULL requests that can be manipulated.

Original Description:

Copyright

© © All Rights Reserved

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

The document describes how a user exploited unprotected admin functionality on a website. They were able to edit the GET request to access the administrator panel where they should not have access. Once in the admin panel, the user was able to delete another user named Carlos, demonstrating the security risk of including sensitive data in GET/POST/PULL requests that can be manipulated.

Copyright:

© All Rights Reserved

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

0% found this document useful (0 votes)

81 views3 pages

Lab 1-Unprotected Admin Functionality

Uploaded by

DODOXD Mekheimer

The document describes how a user exploited unprotected admin functionality on a website. They were able to edit the GET request to access the administrator panel where they should not have access. Once in the admin panel, the user was able to delete another user named Carlos, demonstrating the security risk of including sensitive data in GET/POST/PULL requests that can be manipulated.

Copyright:

© All Rights Reserved

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Jump to Page

You are on page 1of 3

Search inside document

Lab 1-Unprotected Admin Functionality

Ahmed Khaled Saad Ali ID:1809799

Screenshots:
Clicked “My Account”

Edited GET Request & Forwarding

It opens another GET Request we will replace it with “/administrator-panel” as

well and forward it
We obtained admin panel and we delete carlos

Lessons:
1. Don’t include sensitive data/info in GET/POST/PULL requests

You might also like

AME Document by Rida
Document33 pages
AME Document by Rida
Muhammad Abubakar
No ratings yet
Examen Asociado Laboratorios GCP
Document134 pages
Examen Asociado Laboratorios GCP
JOHAN SEBASTIAN CURTIDOR ZABALA
No ratings yet
Lab 3 - User Role Controlled by Request Parameter
Document7 pages
Lab 3 - User Role Controlled by Request Parameter
DODOXD Mekheimer
No ratings yet
Lab 11 - Multi-Step Process With No Access Control On One Step
Document5 pages
Lab 11 - Multi-Step Process With No Access Control On One Step
DODOXD Mekheimer
No ratings yet
Lab 12 - Referer-Based Access Control
Document3 pages
Lab 12 - Referer-Based Access Control
DODOXD Mekheimer
No ratings yet
Lab 5 - Method-Based Access Control Can Be Circumvented
Document6 pages
Lab 5 - Method-Based Access Control Can Be Circumvented
DODOXD Mekheimer
No ratings yet
VDK Associates ERP Flow
Document7 pages
VDK Associates ERP Flow
Arindam Bera
No ratings yet
IBM - Unable To Access Loca..
Document1 page
IBM - Unable To Access Loca..
Saravana Kumar
100% (1)
GI Test Enviroment Tasks
Document7 pages
GI Test Enviroment Tasks
Mohammed F. Shehata
No ratings yet
Lab 9 - User ID Controlled by Request Parameter With Password Disclosure. Ahmed Khaled Saad Ali ID:1809799
Document4 pages
Lab 9 - User ID Controlled by Request Parameter With Password Disclosure. Ahmed Khaled Saad Ali ID:1809799
DODOXD Mekheimer
No ratings yet
Mirza AS400 SOP
Document13 pages
Mirza AS400 SOP
ShuBham SinGh
No ratings yet
CS3002 Assignment4 S I190620 I180530
Document17 pages
CS3002 Assignment4 S I190620 I180530
Talha Zain
No ratings yet
Component Checking Steps
Document2 pages
Component Checking Steps
prakash9565
No ratings yet
IIS Manager Authentication IIS 7 and SBS 2011 - The Noc Cave
Document2 pages
IIS Manager Authentication IIS 7 and SBS 2011 - The Noc Cave
Clams Most
No ratings yet
Use Cases Description
Document4 pages
Use Cases Description
Mian Naveed
No ratings yet
12c Cloud Control
Document9 pages
12c Cloud Control
gmasay
No ratings yet
Enable or Disable User Account From Command Line
Document2 pages
Enable or Disable User Account From Command Line
emil2809
No ratings yet
JMS Integration
Document5 pages
JMS Integration
Venkat Subramanian
No ratings yet
Chapter 3 Getting Started With Oracle Enterprise Manager
Document10 pages
Chapter 3 Getting Started With Oracle Enterprise Manager
ahmerjamil
No ratings yet
Module 4: Administering and Troubleshooting Exchange Online Lab: Administering and Troubleshooting Exchange Online
Document9 pages
Module 4: Administering and Troubleshooting Exchange Online Lab: Administering and Troubleshooting Exchange Online
Ben Aissa Taher
No ratings yet
Employee Leaves Management System
Document1 page
Employee Leaves Management System
hina shahzadi
No ratings yet
Cannot Access AME Application After Applied AME B
Document5 pages
Cannot Access AME Application After Applied AME B
mohdilyas
No ratings yet
Puna Kontrola Nad Program Files Pod w7
Document1 page
Puna Kontrola Nad Program Files Pod w7
ejlena
No ratings yet
IBM How To Manually Recertify An Expired ID - United States
Document4 pages
IBM How To Manually Recertify An Expired ID - United States
Manuel Arcadio Salgado González
100% (1)
Lab - 1 Active Directory Installation
Document32 pages
Lab - 1 Active Directory Installation
sugapriya
No ratings yet
Zone Auditing
Document2 pages
Zone Auditing
Elie El Masry
No ratings yet
Lab 8.3.1: Adding Users in Windows 2000: Estimated Time: 10 Minutes Objective
Document4 pages
Lab 8.3.1: Adding Users in Windows 2000: Estimated Time: 10 Minutes Objective
Alfredo Nunes da Silva
No ratings yet
Unable To Access Logon Page LDAP
Document2 pages
Unable To Access Logon Page LDAP
andersomwss
No ratings yet
How To Control Access To My DGS-1210 With ACL and MAC Addresses
Document10 pages
How To Control Access To My DGS-1210 With ACL and MAC Addresses
Irvan Wiranata
No ratings yet
Optional Assignment
Document11 pages
Optional Assignment
vamsikrishna0022
No ratings yet
HiPath Xpressions Compact V3.0 DLI Administrator Manual
Document22 pages
HiPath Xpressions Compact V3.0 DLI Administrator Manual
enjoythedocs
No ratings yet
User Management Process Doc v1.1
Document2 pages
User Management Process Doc v1.1
v4snf8rp7y
No ratings yet
ABR 7 User Quick Start Guide - Windows UAC Confirm Mode
Document6 pages
ABR 7 User Quick Start Guide - Windows UAC Confirm Mode
Gustavo Ríos
No ratings yet
Module 11 - Implementing Software Defined Networking
Document9 pages
Module 11 - Implementing Software Defined Networking
Cong Tuan
No ratings yet
Use Case Diagram Example
Document8 pages
Use Case Diagram Example
Waleed Fraz
No ratings yet
Fast HDLM Installation/Config Steps
Document2 pages
Fast HDLM Installation/Config Steps
thifm
No ratings yet
Applies To:: Goal Solution
Document6 pages
Applies To:: Goal Solution
Anto Joe Natesh
No ratings yet
Websphere Application Server Overview
Document19 pages
Websphere Application Server Overview
Siddik Ahmed
No ratings yet
SEP Guide To Manually Uninstall-Reinstall SEP
Document3 pages
SEP Guide To Manually Uninstall-Reinstall SEP
verve1977
No ratings yet
Lab2 Identity - Setting Up PIM
Document24 pages
Lab2 Identity - Setting Up PIM
nair sreejith
No ratings yet
ICRM AES End User Guide For Application Request
Document17 pages
ICRM AES End User Guide For Application Request
Satyam kumar
No ratings yet
AME Transaction Types To Specific User On AME
Document5 pages
AME Transaction Types To Specific User On AME
Shaju Shana
No ratings yet
AD Schema & Specime: AD - Schema - & - Specifiers - Pdffiers
Document16 pages
AD Schema & Specime: AD - Schema - & - Specifiers - Pdffiers
MarcoM
No ratings yet
Instruction For Lifetime Activation
Document11 pages
Instruction For Lifetime Activation
Daniel Jose Castillo Guevara
No ratings yet
Api Example 1: Vulnerability Type: Api Request's Response Leakage. Screenshot of Component
Document49 pages
Api Example 1: Vulnerability Type: Api Request's Response Leakage. Screenshot of Component
Ashlee Gregory
No ratings yet
Issues
Document14 pages
Issues
srimkb
No ratings yet
Understand UAC and Make It Work For You.: Click To Edit Master Subtitle Style
Document49 pages
Understand UAC and Make It Work For You.: Click To Edit Master Subtitle Style
Jeffrey Carlson
No ratings yet
Office 365 and IMAP or POP3 With OAuth 2 PDF
Document11 pages
Office 365 and IMAP or POP3 With OAuth 2 PDF
Amardeep Kumar
No ratings yet
Permissions Required For The Ad Account Configured in Admanager Plus
Document34 pages
Permissions Required For The Ad Account Configured in Admanager Plus
Jayavignesh Zoho
No ratings yet
Sending Email From Siebel
Document2 pages
Sending Email From Siebel
Kirti Sahoo
No ratings yet
Faytaysports Online Store System (Foss) : Software Requirement Specification (SRS)
Document9 pages
Faytaysports Online Store System (Foss) : Software Requirement Specification (SRS)
Haziq Danish
No ratings yet
How To - Enable Restore Cyberoam Appliance Access
Document1 page
How To - Enable Restore Cyberoam Appliance Access
Anonymous 83o62c
No ratings yet
1: Login: Use Case Specification
Document3 pages
1: Login: Use Case Specification
aarav
No ratings yet
RPA Testing in REFramework
Document76 pages
RPA Testing in REFramework
Ionut Mardare
No ratings yet
Instructions Admin Ui Backend Authentication
Document18 pages
Instructions Admin Ui Backend Authentication
Ahlam Hana
No ratings yet
Configuration Wizard - PI AEX SLD Self Registration
Document4 pages
Configuration Wizard - PI AEX SLD Self Registration
Mario Tejada
No ratings yet
Hive PDF
Document7 pages
Hive PDF
Pavi
No ratings yet
Authorization Management Workflow: A Bull Evidian White Paper
Document24 pages
Authorization Management Workflow: A Bull Evidian White Paper
kjheiin
No ratings yet
Lab 12 - Referer-Based Access Control
Document3 pages
Lab 12 - Referer-Based Access Control
DODOXD Mekheimer
No ratings yet
Lab 7 - User ID Controlled by Request Parameter, With Unpredictable User IDs
Document4 pages
Lab 7 - User ID Controlled by Request Parameter, With Unpredictable User IDs
DODOXD Mekheimer
No ratings yet
Lab 8 - User ID Controlled by Request Parameter With Data Leakage in Redirect
Document3 pages
Lab 8 - User ID Controlled by Request Parameter With Data Leakage in Redirect
DODOXD Mekheimer
No ratings yet
Lab 9 - User ID Controlled by Request Parameter With Password Disclosure. Ahmed Khaled Saad Ali ID:1809799
Document4 pages
Lab 9 - User ID Controlled by Request Parameter With Password Disclosure. Ahmed Khaled Saad Ali ID:1809799
DODOXD Mekheimer
No ratings yet
Lab 5 - Method-Based Access Control Can Be Circumvented
Document6 pages
Lab 5 - Method-Based Access Control Can Be Circumvented
DODOXD Mekheimer
No ratings yet
Lab 3 - User Role Controlled by Request Parameter
Document7 pages
Lab 3 - User Role Controlled by Request Parameter
DODOXD Mekheimer
No ratings yet
Lab 2 - Unprotected Admin Functionality With Unpredictable URL
Document2 pages
Lab 2 - Unprotected Admin Functionality With Unpredictable URL
DODOXD Mekheimer
No ratings yet
Enhancing Performance OF Autosar Transformer and Autosar Applications Using Gpus
Document100 pages
Enhancing Performance OF Autosar Transformer and Autosar Applications Using Gpus
DODOXD Mekheimer
No ratings yet