Referer-based access control | Dec 14, 2022
Introduction
Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Referer-based access control! Without further ado, let’s dive in.
- Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆
Background
This lab controls access to certain admin functionality based on the Referer header. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.
To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.
Exploitation
Home page:
Let’s login as administrator to view the admin panel:
In here, we can see an adminstrator level user can upgrade or downgrade a user’s privilege.
Let’s try to upgrade a user privilege, and intercept that request via Burp Suite:
When an administrator try to upgrade a user, it’ll send a GET request to /admin-roles, with the parameter: username and action (upgrade/downgrade).
Also, it includes a Referer HTTP header!
Armed with above information, we can login as user wiener, and try to escalate our privilege to administrator:
Now, we can try to send a GET request to /admin-roles via Burp Suite’s Repeater:
However, we get Unauthorized error.
In the above GET request, we can see that it includes a Referer HTTP header.
What if I change that to /admin? Which is the admin panel location:
Nice! This time we don’t have Unauthorized error!
Let’s refresh the page and verify we’re administrator or not:
We’re administrator!!
What we’ve learned:
- Referer-based access control