Multi-step process with no access control on one step | Dec 14, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Multi-step process with no access control on one step! Without further ado, let’s dive in.

• Overall difficulty for me (From 1-10 stars): ★★☆☆☆☆☆☆☆☆

Background

This lab has an admin panel with a flawed multi-step process for changing a user’s role. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.

To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.

Exploitation

Home page:

Let’s login as administrator to view the admin panel!

In here, administrator can upgrade or downgrade a user’s privilege.

Let’s try to upgrade and downgrade a user’s privilege, and intercept the request via Burp Suite:

When administrator try to upgrade a user, it’ll send a POST request to /admin-roles, with parameter: username and action (upgrade/downgrade).

After sending a POST request, a confirm page will be prompt:

If we click Yes, it’ll send a POST request again:

However, this time we see 1 more parameter: confirmed is set to true.

Armed with above information, we can login as user wiener, and try to escalate our privilege to administrator:

Now, we can try to send a GET request to /admin-roles, and intercept it in Burp Suite’s Repeater to see what will happen:

Unauthorized. How about POST request?

Still Unauthorized.

Hmm… How about we try to provide parameter username and action?

Well, what if I also provide the confirmed parameter?

Wait… The back-end doesn’t check the second step in upgrading a user’s privilege?

Now, let’s refresh the page to see we’re an administrator or not:

We’re indeed an administrator!

What we’ve learned:

1. Multi-step process with no access control on one step