User role controlled by request parameter

https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/access-control-apprentice/access-control/lab-user-role-controlled-by-request-parameter

Parameter-based access control methods

Description

This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.

Solve the lab by accessing the admin panel and using it to delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Solution

as indicated into description, we know the admin panel path, but without admin credentials we can't do nothing,

so we can do normal login with followring credentials: wiener:peter

analysing the http response after login, we can see that there're into cookie and admin flag set to false and the session ID:

Setting the admin flag to 'true' we can do a vertical privilege escalation

then, go to admin panel and set the flag equals true:

Now, we can finishing deleting user Carlos:

PreviousUnprotected admin functionality with unpredictable URL NextUser ID controlled by request parameter, with unpredictable user IDs

Last updated 1 year ago

hashtagParameter-based access control methodsarrow-up-right

hashtagDescription

hashtagSolution

Parameter-based access control methods

Description

Solution