https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/access-control-apprentice/access-control/lab-unprotected-admin-functionality-with-unpredictable-url
Last updated
This lab has an unprotected admin panel. It's located at an unpredictable location, but the location is disclosed somewhere in the application.
Solve the lab by accessing the admin panel, and using it to delete the user carlos.
The situation is similar to the last lab, but in this case we can't access to robots.txt file idea is access to the admin panel, trying some path there're not results, then we can try to see the robots.txt file:
then, we can try to search a potentially information disclosure into page source (CTRL+U)
checking for 'href' or eventually 'admin' we found a great reference that potentially can be the name of an admin panel page: /admin-yqeueq go there!
Great, it's correct!
Now, we can finishing deleting user Carlos:
