Referer-based access control | Dec 14, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Referer-based access control! Without further ado, let’s dive in.

• Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

Background

This lab controls access to certain admin functionality based on the Referer header. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.

To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.

Exploitation

Home page:

Let’s login as administrator to view the admin panel:

In here, we can see an adminstrator level user can upgrade or downgrade a user’s privilege.

Let’s try to upgrade a user privilege, and intercept that request via Burp Suite:

When an administrator try to upgrade a user, it’ll send a GET request to /admin-roles, with the parameter: username and action (upgrade/downgrade).

Also, it includes a Referer HTTP header!

Armed with above information, we can login as user wiener, and try to escalate our privilege to administrator:

Now, we can try to send a GET request to /admin-roles via Burp Suite’s Repeater:

However, we get Unauthorized error.

In the above GET request, we can see that it includes a Referer HTTP header.

What if I change that to /admin? Which is the admin panel location:

Nice! This time we don’t have Unauthorized error!

Let’s refresh the page and verify we’re administrator or not:

We’re administrator!!

What we’ve learned:

1. Referer-based access control