The user can also be changed on the fly
Just like in the previous modules, we can naturally also perform login through an add-on based on a parameter. While in the past we have always logged in with the same user, we can specify and read the desired username in the HTTP request, for example from a parameter:
GET /home?user=admin HTTP/1.1
...When the built add-on sees this parameter, the login can be performed using the provided user. This way, the username can be changed on the fly, and we can test how the application behaves depending on a spesific role or username. Naturally, the application does not use or care about the given parameter, but if needed, this parameter can be wiped from the HTTP request by the add-on. Utilize this mindset to solve the next task.
Exercise
Now, we will utilize concepts learned earlier and solve the next task without predefined codes. In this module's task, there are three different users, admin, bobby, and johnny. The application contains folders and files whose visibility depends entirely on the user used. Find these, and you will find the flag.
Note! - It is good to utilize e.g. ffuf tool:
ffuf -u http://example.com/FUZZ?user=admin -w words.txt -mc all
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.