Post

PortSwigger - Access Control vulnerabilities labs

PortSwigger Web Security Academy - Access Control vulnerabilities labs

PortSwigger - Access Control vulnerabilities labs

PortSwigger – Access Control Vulnerabilities Labs


LAB 1 — Unprotected Admin Functionality

Level: APPRENTICE

alt text

Analysis

  
VulnerabilityUnprotected admin panel
GoalDelete the user carlos
Key ConceptAfter enumeration we find a file called robots.txt which contains directives to prevent bots from accessing the admin panel. Accessing that path directly gives us a fully functional admin interface

Steps

1. Start the lab and navigate to /robots.txt — it reveals the path /administrator-panel: alt text

2. Access /administrator-panel and find the option to delete users: alt text

3. Delete carlos → Solved: alt text


LAB 2 — Unprotected Admin Functionality with Unpredictable URL

Level: APPRENTICE

alt text

Analysis

  
VulnerabilityUnprotected admin panel
GoalDelete the user carlos
Key ConceptThe page contains a JavaScript snippet that routes users based on their role. The admin panel path is embedded in this script and is visible in the page source

Steps

1. Start the lab, right-click → View Page Source, and find the admin panel path inside a JS block: alt text

2. Navigate to the admin panel and delete user carlos → Solved: alt text


LAB 3 — User Role Controlled by Request Parameter

Level: APPRENTICE

alt text

Analysis

  
VulnerabilityAccess control bypass via cookie manipulation
GoalDelete user carlos
Key ConceptThe application stores the user’s role in a cookie (Admin=false). By intercepting the request and changing it to Admin=true, the admin panel becomes accessible

Steps

1. Start the lab and login as wiener / peter: alt text

2. Reload the page and intercept the request with Burp: alt text

3. Change Admin=falseAdmin=true and forward the request: alt text alt text

4. The admin panel link now appears in the navigation: alt text

5. Clicking it shows Admin interface only available if logged in as an administrator — the check runs on each request: alt text

6. Intercept the next request and again change Admin=true: alt text alt text

7. Access the admin panel, intercept the delete request, set Admin=true again → carlos deleted → Solved: alt text alt text


LAB 4 — User Role Can Be Modified in User Profile

Level: APPRENTICE

alt text

Analysis

  
VulnerabilityAccess control bypass via mass assignment on the update email endpoint
GoalDelete user carlos
Key ConceptWhen updating the email address, the server response includes a roleid field. Sending "roleid": 2 in the request body causes the server to accept and apply it, escalating our privileges to admin

Steps

1. Start the lab and login with wiener / peter: alt text

2. Use the update email functionality and intercept the request with Burp: alt text

3. Send the request to Repeater: alt text

4. The response contains a roleid key — add "roleid": 2 to the request body and resend: alt text

5. Go back to the browser — the admin panel link is now visible: alt text

6. Click the admin panel and delete user carlos → Solved: alt text


LAB 5 — User ID Controlled by Request Parameter

Level: APPRENTICE

alt text

Analysis

  
VulnerabilityHorizontal privilege escalation
GoalObtain the API key for user carlos and submit it as the solution
Key ConceptThe account page URL uses a ?id=username parameter. Changing it to another username loads that user’s account page and leaks their API key

Steps

1. Start the lab and login as wiener — observe the account page URL: alt text

2. Intercept the request with Burp: alt text

3. Send to Repeater and change the id parameter to carlos: alt text

4. The response contains carlos’s API key — copy and submit it → Solved: alt text alt text


LAB 6 — User ID Controlled by Request Parameter, with Unpredictable User IDs

Level: APPRENTICE

alt text

Analysis

  
VulnerabilityHorizontal privilege escalation
GoalFind the GUID for carlos, then submit his API key as the solution
Key ConceptUser IDs are GUIDs, not usernames. By finding a blog post authored by carlos and clicking his name, the GUID is exposed in the URL. Substituting it in the account page URL leaks his API key

Steps

1. Start the lab and login as wiener: alt text

2. Browse the blog and find a post authored by carlos: alt text

3. Click on carlos’s name and intercept the request — the GUID is visible in the URL: alt text

4. Copy the GUID and use it in the ?id= parameter on the account page: alt text

5. Submit the API key → Solved: alt text


LAB 7 — User ID Controlled by Request Parameter with Data Leakage in Redirect

Level: APPRENTICE

alt text

Analysis

  
VulnerabilitySensitive information leaked in the body of a redirect response
GoalObtain the API key for user carlos and submit it as the solution
Key ConceptWhen changing the id parameter to another user, the application issues a 302 redirect to the login page — but the response body still contains the target user’s account page, including their API key

Steps

1. Start the lab and login as wiener / peter: alt text

2. Reload the account page and intercept the request with Burp: alt text

3. Send to Repeater and change the id parameter to carlos: alt text

4. The server returns a 302 redirect, but the full account page is in the response body: alt text

5. Use the Render tab to view the page — carlos’s API key is visible: alt text

6. Copy the API key, submit it → Solved: alt text


LAB 8 — User ID Controlled by Request Parameter with Password Disclosure

Level: APPRENTICE

alt text

Analysis

  
VulnerabilityHorizontal privilege escalation leading to password disclosure
GoalRetrieve the administrator’s password, then log in and delete user carlos
Key ConceptThe account page populates the password field with the user’s actual password. By changing the id parameter to administrator, we can read the pre-filled password from the response

Steps

1. Start the lab and login with wiener / peter: alt text

2. Reload the account page and intercept the request with Burp: alt text

3. Send to Repeater and change the id parameter to administrator — the response contains a masked password field: alt text

4. Switch to the Pretty view to read the plaintext password: alt text

5. Login as administrator with that password, navigate to the admin panel, delete carlos → Solved: alt text


LAB 9 — Insecure Direct Object References

Level: APPRENTICE

alt text

Analysis

  
VulnerabilityInsecure Direct Object Reference (IDOR)
GoalFind carlos’s password and log in as him
Key ConceptThe live chat feature allows downloading a transcript file. The filename is sequential (e.g. 2.txt). By intercepting the download request and changing the filename to 1.txt, we can access another user’s transcript which contains carlos’s password

Steps

1. Start the lab, login as wiener / peter, and navigate to the Live Chat tab: alt text

2. Click “View transcript” and observe the file download: alt text

3. Click “View transcript” again and intercept the request with Burp — note the filename is 2.txt: alt text

4. Enable “Intercept response to this request”: alt text

5. The response references 3.txt — change the filename in the request to 1.txt: alt text alt text

6. Forward the request — 1.txt is downloaded: alt text

7. Open the file — it contains carlos’s password: alt text

8. Login as carlos with the discovered password → Solved: alt text


LAB 10 — URL-Based Access Control Can Be Circumvented

Level: PRACTITIONER

alt text

Analysis

  
VulnerabilityAccess control bypass via X-Original-URL header
GoalDelete user carlos
Key ConceptThe front-end blocks direct access to /admin. However, by sending the request to / with the header X-Original-URL: /admin, the back-end processes the header value instead of the URL, bypassing the front-end restriction entirely

Steps

1. Start the lab and open Burp — direct access to /admin returns 403 Access Denied: alt text

2. Send the request to Repeater, change the path to /, and add the header X-Original-URL: /admin — the admin panel loads successfully:

3. To delete carlos, set X-Original-URL: /admin/delete and add username=carlos as a query parameter in the actual URL → Solved.


LAB 11 — Method-Based Access Control Can Be Circumvented

Level: PRACTITIONER

alt text

Analysis

  
VulnerabilityAccess control bypass via HTTP method switching
GoalLog in as wiener and promote the wiener account to admin
Key ConceptThe application enforces access control on the POST method for the privilege escalation endpoint, but fails to apply the same check on GET. By changing the request method from POST to GET, a low-privileged user can call the endpoint successfully

Steps

1. Start the lab and login as administrator / admin with Burp intercepting all requests: alt text

2. Navigate to the admin panel and promote user carlos to admin: alt text

3. Logout and login as wiener / peter: alt text

4. Copy wiener’s session cookie from Burp HTTP history: alt text

5. Find the admin privilege escalation request in HTTP history, send it to Repeater, and replace the admin cookie with wiener’s cookie — the response is 401 Unauthorized: alt text

6. Right-click → Change request method to convert POSTGET: alt text

7. Send — the response is now 200 OK: alt text

8. Change the username parameter to wiener: alt text

9. Send → Solved: alt text


LAB 12 — Multi-Step Process with No Access Control on One Step

Level: PRACTITIONER

alt text

Analysis

  
VulnerabilityMissing access control on the confirmation step of a multi-step flow
GoalLog in as wiener and promote the wiener account to admin
Key ConceptThe privilege escalation process has two steps: the initial action and a confirmation request. Access control is only enforced on the first step — the confirmation request has no such check, so a low-privileged user can call it directly to complete the escalation

Steps

1. Start the lab and login as administrator / admin with Burp intercepting all requests: alt text

2. Open the admin panel and upgrade user carlos to admin — note that a second confirmation request is sent: alt text

3. Logout and login as wiener / peter: alt text

4. Reload the page and copy wiener’s session cookie from Burp: alt text

5. Find the confirmation request in HTTP history and send it to Repeater: alt text

6. Replace the admin cookie with wiener’s cookie — the response is 401 Unauthorized (this is the protected first step): alt text

7. Change the username parameter to wiener and send — this hits the unprotected confirmation step directly: alt text

8. The promotion succeeds → Solved.


LAB 13 — Referer-Based Access Control

Level: PRACTITIONER

alt text

Analysis

  
VulnerabilityAccess control enforced via Referer header only
GoalLog in as wiener and promote the wiener account to admin
Key ConceptThe privilege escalation endpoint checks the Referer header to verify the request originated from the admin panel. Since this header is user-controlled, a low-privileged user can forge it and call the endpoint directly

Steps

1. Start the lab and login as administrator / admin with Burp intercepting all requests: alt text

2. Navigate to the admin panel and promote carlos to admin — capture the request in Burp: alt text

3. Logout and login as wiener / peter — copy wiener’s session cookie: alt text

4. In Repeater, replace the admin cookie with wiener’s cookie and change the username parameter from carlos to wiener — keep the original Referer header pointing to /admin: alt text

5. Send → Solved: alt text


Finished — Happy Hacking…!


Find me online:


This post is licensed under CC BY 4.0 by the author.