Challenges

CWE-285 Improper Authorization

REST API does not authorize the user. It should check whether the user that is making request is allowed to do so.

CRUD page generation

‌ Find auto-generated pages, but are not used.

Solution

Transaction controller was generated using Visual Studio. /Transaction/Edit (GET, POST) , /Transaction/Delete (GET, POST) and Transaction/DeleteConfirmed are not used but can be accessed.

You will find the flag in the response header.

Missing Authentication

In this challenge, you need to find endpoints that should be protected but are not.

Solution

1. DeleteSessionId cookie and try all endpoints.

2. When you try/api/User/GetAvaliableFunds?user={username} or /api/User/ProfileImage?user={usernane} you will find that you don't need SessionId cookie.

You will find the flag in the response header.

Unconfirmed login

In this challenge, you need to access /Transaction with an unconfirmed account.

Solution

1. Register new user

2. Go to /Transaction without confirming your account.

You will find the flag inside the page source.