Unprotected admin functionality with unpredictable URL

This lab has an unprotected admin panel. It's located at an unpredictable location, but the location is disclosed somewhere in the application.

While inspecting the page's source code using the CTRL + U shortcut, I stumbled upon intriguing JavaScript code that unveiled the admin panel directory:

var isAdmin = false;
if (isAdmin) {
   var topLinksTag = document.getElementsByClassName("top-links")[0];
   var adminPanelTag = document.createElement('a');
   adminPanelTag.setAttribute('href', '/admin-4f6l3b');
   adminPanelTag.innerText = 'Admin panel';
   topLinksTag.append(adminPanelTag);
   var pTag = document.createElement('p');
   pTag.innerText = '|';
   topLinksTag.appendChild(pTag);
}

To access the admin panel, simply navigate to "/admin-4f6l3b" and proceed to delete the "carlos" user, thus successfully completing the lab.

PreviousUnprotected admin functionality NextUser role controlled by request parameter

Last updated 1 year ago