Unprotected admin functionality with unpredictable URL

https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/access-control-apprentice/access-control/lab-unprotected-admin-functionality-with-unpredictable-url

PreviousUnprotected admin functionality NextUser role controlled by request parameter

Last updated 13 days ago

Unprotected admin functionality with unpredictable URL

https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/access-control-apprentice/access-control/lab-unprotected-admin-functionality-with-unpredictable-url

Unprotected functionality

Description

This lab has an unprotected admin panel. It's located at an unpredictable location, but the location is disclosed somewhere in the application.

Solve the lab by accessing the admin panel, and using it to delete the user carlos.

Solution

The situation is similar to the last lab, but in this case we can't access to robots.txt file idea is access to the admin panel, trying some path there're not results, then we can try to see the robots.txt file:

then, we can try to search a potentially information disclosure into page source (CTRL+U)

checking for 'href' or eventually 'admin' we found a great reference that potentially can be the name of an admin panel page: /admin-yqeueq go there!

https://0a5200610459467f82f57493001d0046.web-security-academy.net/admin-yqeueq

Great, it's correct!

Now, we can finishing deleting user Carlos:

PreviousUnprotected admin functionality NextUser role controlled by request parameter

Last updated 13 days ago