REST API does not authorize the user. It should check whether the user that is making request is allowed to do so.
Find auto-generated pages, but are not used.
Transaction controller was generated using Visual Studio. /Transaction/Edit (GET, POST) , /Transaction/Delete (GET, POST) and Transaction/DeleteConfirmed are not used but can be accessed.
You will find the flag in the response header.
In this challenge, you need to find endpoints that should be protected but are not.
DeleteSessionId cookie and try all endpoints.
When you try/api/User/GetAvaliableFunds?user={username} or /api/User/ProfileImage?user={usernane} you will find that you don't need SessionId cookie.
You will find the flag in the response header.
In this challenge, you need to access /Transaction with an unconfirmed account.
Register new user
Go to /Transaction without confirming your account.
You will find the flag inside the page source.
Last updated