Broken Access Control - DVNA

Step 1: Login as a non-admin user and navigate to admin dashboard at /app/admin. Intercept the request in Burp suite

Step 2: Send the intercepted request to Burp Repeater(CTRL+R) and navigate to repeater(CTRL+SHIFT+R)

Step 3: Forward the request in repeater and notice that there is a URL in the response body /app/admin/users

Step 4: Modify the GET request and give the resource path as /app/admin/users. In the response, notice that there an XHR request being made to /app/admin/usersapi

03_bac_users_dir_api

Step 5: Modify the GET request and give the resource as /app/admin/usersapi . In the response, notice that the application returns sensitive user details