# Challenges

## CWE-285 Improper Authorization

REST API does not authorize the user. It should check whether the user that is making request is allowed to do so.

![](/files/o5NbbHaE0NQuA0y2dCY9)

![](/files/GaFSx5ZQu8S8o0yutJQ1)

## CRUD page generation

‌ Find auto-generated pages, but are not used.

### Solution

`Transaction` controller was generated using Visual Studio. `/Transaction/Edit` (GET, POST) , `/Transaction/Delete` (GET, POST) and `Transaction/DeleteConfirmed` are not used but can be accessed.

You will find the flag in the response header.

## Missing Authentication

In this challenge, you need to find endpoints that should be protected but are not.

### Solution

1. Delete`SessionId` cookie and try all endpoints.
2. When you try/`api/User/GetAvaliableFunds?user={username}` or `/api/User/ProfileImage?user={usernane}` you will find that you don't need `SessionId` cookie.

You will find the flag in the response header.

## Unconfirmed login

In this challenge, you need to access `/Transaction` with an unconfirmed account.

### Solution

1. Register new user
2. Go to `/Transaction` without confirming your account.

You will find the flag inside the page source.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ssrd.gitbook.io/securebank/a1-brokecaccesscontrol/broken-access-control.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.