Unprotected admin functionality

https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/access-control-apprentice/access-control/lab-unprotected-admin-functionality

Unprotected functionality

Description

This lab has an unprotected admin panel.

Solve the lab by deleting the user carlos.

Solution

The idea is access to the admin panel, trying some path there're not results, then we can try to see the robots.txt file: https://0acf00c003d580aedfc3cb23003400e9.web-security-academy.net/robots.txt

here was inserted the admin panel page to disallow it on google searches.

Then go there: https://0acf00c003d580aedfc3cb23003400e9.web-security-academy.net/administrator-panel

and eliminate user Carlos clicking to Delete