URL-based access control can be circumvented

https://portswigger.net/web-security/access-control/lab-url-based-access-control-can-be-circumvented

Let's try to access the admin panel.

Since we are proxying the traffic through Burp Suite, we can go to Proxy > HTTP History to view the request.

Let's forward the request to the Repeater for further modification.

Once inside the Repeater, set the request URI to:

And add the following request header:

X-Original-URL: /admin

This header overrides the URI present in the original request.

In order to delete the carlos user, we have to set the original URL to:

/?username=carlos

And modify the header to the following:

X-Original-Url: /admin/delete

Let's go and check the panel through the browser.

We have solved the lab.

Last updated 1 year ago

Was this helpful?