Access Control
Lab #1: Unprotected admin functionality
Hola đ, welcome back. Here, I will be creating a write-up on access control based on WebSec Academy, where I will go through how I solved the labs. Letâs get started!
Access Control: refers to the mechanisms and policies put in place to regulate and manage access to resources within the application. This includes controlling which users can access certain pages, features, or data, and what actions they can perform once they are granted access. In the context of web applications, access control is dependent on authentication and session management.
Lab #1: Unprotected admin functionality
This lab has an unprotected admin panel. Our task is to solve the lab by deleting the user âCarlos.â Accessing the labâŚ.
- Using a proxy, I use Burp and send all the requests to the Repeater tab, specifying âadminâ in the web directory path, but couldnât find anything in the response header. I received a 404 (not found) error.
- Accessing the ârobots.txtâ(s a text file placed on a website that instructs web robots which pages or files they can or cannot access.) file, I found the path to the admin pages.
- Navigating to the path
administrator-panelgets us to the admin pages. By checking the response source code, we can see the URL to delete the user âCarlosâ.
- Specifying the path in the request to delete the user âCarlos,â and we are done.
Thatâs all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!