Access Control
Lab #3: User Role Controlled By Request Parameter
Hola š welcome back. This is the Lab 3# User Role Controlled By Request Parameter write-up of the Access Control labs on WebSec Academy. In this lab, we are access the admin panel and delete the user Carlos. Letās get started, friends!
End Goal :#
- Locating and accessing the admin panel via forgeable cookies.
- And using it to delete the user carlos.
Testing For Vulnerabilities:
- Using Burp Suite, send the main page request to the Repeater tab to test for unprotected functionality to access the administrative functions. Browsing to the relevant admin URL, in this case, specifying
/adminas the path, results in a 401 error, indicating āunauthorized.ā
- Letās log in to our own account using the following credentials: wiener:peter. Weāll use the proxy tab and turn on the intercept to modify a request. Letās see š.
- We can see that we are using the POST method (sending data to the server). We can send the request to the Repeater tab and modify it more effectively there.
- Modify the request by changing the path to ā/adminā and setting the cookie header value of āadminā from fasle ( admin=fasle indicates that the user associated with the cookie is not an administrator.) to true. And use the session to acces the admin panel. Sending this request should take us to the admin panel. Bingo š
- Checking the response source, we can identify the path to delete the user āCarlos.ā Upon following the redirection, we can proceed to delete the user āCarlosā and successfully complete the labs.
And we complete our goal by accessing the admin panel and deleting the user āCarlosā.
Thatās all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!