User role controlled by request parameter | Dec 12, 2022
Introduction
Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: User role controlled by request parameter! Without further ado, let’s dive in.
- Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆
Background
This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.
Solve the lab by accessing the admin panel and using it to delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter
Exploitation
Home page:
Login as user wiener:
In the lab background, it said:
This lab has an admin panel at
/admin, which identifies administrators using a forgeable cookie.
Let’s view our cookies!
As you can see, there is a cookie called Admin, and it’s value is false.
Hmm… What if I change the value to true?? Will I become an administrator??
Now let’s go to the admin panel at /admin:
I’m allowed to go to the admin panel!
Let’s delete user carlos!
What we’ve learned:
- User role controlled by request parameter