Method-based access control can be circumvented
https://portswigger.net/web-security/access-control/lab-method-based-access-control-can-be-circumvented
Last updated
https://portswigger.net/web-security/access-control/lab-method-based-access-control-can-be-circumvented
Last updated
Let's login as the admin using the following credentials:
Username | Password |
---|---|
administrator | admin |
We can now upgrade the carlos
user to admin.
Since we are proxying the traffic through Burp Suite, we will be able to view this request in the Proxy > HTTP History
tab.
Let's forward this request to the Repeater
for further modification.
Next, let's log out and log back in using the following credentials:
Username | Password |
---|---|
wiener | peter |
We can go to the Proxy > HTTP History
tab to get the session cookie.
Now, let's go back to the Repeater
tab and change the request method to POST.
Next, we have to replace the session cookie with the one from the wiener
user's request. We also have to set the username
parameter to the following:
Let's go and check the browser.
We have solved the lab.