CopyPasta

Today we have a Broken Access Control vulnerability today.

Today I had to click around a bit more to find a vulnerable point in the application. I had not tested all the functionality before I went to BurpSuite, so that's why it took me a bit longer than usual.

Make sure to test all functionality. If you find nothing, start at the beginning and make sure to click all the buttons and highlight them in Burp at the same time so you don't overlook anything.

Finally I found an endpoint where a userId was sent with the PUT request on api/profile/password , normally the flag is at the admin, and usually, the id is 2, but today I had to find out not to assume things 😅.

So I updated the password for userId 1.

I logged in as admin, with the new password and looked at the private snippets.

And there, I found my flag 🇧🇪