Method-based access control can be circumvented
https://portswigger.net/web-security/access-control/lab-method-based-access-control-can-be-circumvented
Last updated
https://portswigger.net/web-security/access-control/lab-method-based-access-control-can-be-circumvented
Last updated
Let's login as the admin using the following credentials:
| Username | Password |
|---|---|
We can now upgrade the carlos user to admin.
Since we are proxying the traffic through Burp Suite, we will be able to view this request in the Proxy > HTTP History tab.
Let's forward this request to the Repeater for further modification.
Next, let's log out and log back in using the following credentials:
We can go to the Proxy > HTTP History tab to get the session cookie.
Now, let's go back to the Repeater tab and change the request method to POST.
Next, we have to replace the session cookie with the one from the wiener user's request. We also have to set the username parameter to the following:
Let's go and check the browser.
We have solved the lab.
| Username | Password |
|---|---|
wiener
peter
administrator
admin
