URL-based access control can be circumvented
https://portswigger.net/web-security/access-control/lab-url-based-access-control-can-be-circumvented
Last updated
https://portswigger.net/web-security/access-control/lab-url-based-access-control-can-be-circumvented
Last updated
Let's try to access the admin panel.
Since we are proxying the traffic through Burp Suite, we can go to Proxy > HTTP History to view the request.
Let's forward the request to the Repeater for further modification.
Once inside the Repeater, set the request URI to:
And add the following request header:
This header overrides the URI present in the original request.
In order to delete the carlos user, we have to set the original URL to:
And modify the header to the following:
Let's go and check the panel through the browser.
We have solved the lab.
