Skip to main content
  1. Posts/

Portswigger - Access Control Labs Walkthrough

·383 words·2 mins·
Author
Md Rakib Ahmed Nishad
A Junior pentester
Table of Contents

In this article I will share walkthrough to solve access control vulnerability labs in portswigger academy.

Lab 1: Unprotected Admin Functionality
#

Overview
#

This lab contains an unprotected admin panel. Our goal is to delete the user carlos to solve the lab.

Solution
#

  1. Access the robots.txt file to find the admin panel link:

robots.txt

  1. Navigate to the admin panel URL and log in without credentials.

adminpanel

  1. Delete the user carlos to complete the lab.

complete



Lab 2: Unprotected Admin Functionality with Unpredictable URL
#

Overview
#

This lab’s admin panel is at an unpredictable location disclosed in the application. The goal is to delete the user carlos.

Solution
#

  1. Inspect the product page source code to find the admin panel URL:
var isAdmin = false;
if (isAdmin) {
   var adminPanelTag = document.createElement('a');
   adminPanelTag.setAttribute('href', '/admin-061w6y');
}

jscode

  1. Navigate to the admin panel and delete carlos.

admin
solved


Lab 3: User Role Controlled by Request Parameter
#

Overview
#

This lab uses a forgeable cookie to identify administrators. The objective is to access the admin panel and delete carlos.

Solution
#

  1. Log in with the provided credentials:
Username: wiener
Password: peter

login

  1. Inspect the request headers. Note the Admin cookie:
Cookie: Admin=false; session=Jiu7Q6cGNKF9NY0sL1GV75R1Un3Zrqk4
  1. Modify the Admin cookie to true using Burp Suite:
Cookie: Admin=true; session=Jiu7Q6cGNKF9NY0sL1GV75R1Un3Zrqk4

cookie

  1. Modify the Admin cookie to true in browser and refresh to access admin panel and delete carlos.

admin
solve


Lab 4: User ID Controlled by Request Parameter with Unpredictable User IDs
#

Overview
#

This lab requires escalating privileges by identifying carlos’s GUID and submitting his API key.

Solution
#

  1. Log in using the provided credentials:
Username: wiener
Password: peter
  1. Inspect your account page to find your API key.

api

  1. Find carlos’s GUID by inspecting his blog posts:

guid 

https://0add00be037d4278819b3ed400bb0085.web-security-academy.net/blogs?userId=6edbadd6-1268-4466-83f9-0dbebb148cad
  1. Use Burp Suite to request carlos’s API key:

api-burp

  1. Submit carlos’s API key to complete the lab.

solve


Lab 5: User ID Controlled by Request Parameter with Password Disclosure
#

Overview
#

This lab involves retrieving the administrator’s password by manipulating the id parameter, then deleting carlos.

Solution
#

  1. Log in using the provided credentials:
Username: wiener
Password: peter

login

  1. Inspect the request for the account page. Modify the id parameter to administrator using Burp Suite and retrieve the administrator’s password from the response:
GET /account?id=administrator

modify

  1. Log in as the administrator:
Username: administrator
Password: 61dp6dq38bab1d50921x

admin

  1. Access the admin panel and delete carlos.

solve

Related

Portswigger - Path Traversal Lab Walkthrough
·229 words·2 mins