Referer-based access control

https://portswigger.net/web-security/access-control/lab-referer-based-access-control

We can login as the admin using the following credentials:

Username	Password
administrator	admin

Let's go to the admin panel and upgrade the carlos user.

Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History tab to view the request.

Notice that the request contains the Refered header set to the following:

https://0ab4000404f019d8885f257200e0002f.web-security-academy.net/admin

That tells the server that the request is coming from the /admin page which can only be accessed by the administrator.

Let's forward this request to the Repeater for further modification.

Next, let's logout and login using the following credentials:

Username	Password
wiener	peter

We now have to replace the session cookie in the Repeater tab with the wiener user's session cookie and set the username parameter to the following:

wiener

Since we included the Referer header, the server upgraded our user.

Let's check in the browser.

We have solved the lab.