Unprotected admin functionality With unpredictable URL
We are given the task to access the admin panel and delete the user Carlos.
Access control
Lab #2: Unprotected admin functionality With unpredictable URL
Hola 👋 welcome back. This is the Lab 2# Unprotected Admin Functionality with Unpredictable URL write-up of the Access Control labs on WebSec Academy. We are given the task to access the admin panel and delete the user Carlos. Let’s get started!
End Goal :#
- Locating and accessing the admin panel
- And using it to delete the user carlos.
Testing For vulnerabilities:
Using Burp Suite, send the main page request to the Repeater tab.
From the lab’s main page, let’s first test for unprotected functionality within the URL and check the “robots.txt” file (a text file placed on a website that instructs web robots which pages or files they can or cannot access). However, we encountered an error: “not found”.
- Next, let’s check the source code of the main lab’s page for any comments or JavaScript that were accidentally left behind during development or production that disclose the admin panel functionality.
- We found the path to the admin panel.
- Navigating to the path gives us a 200 OK response. We accessed the admin pages and, checking the source code, found the URL to delete the user Carlos.
- Going to the path to delete the user Carlos gives us a redirection and deletes the user.
That’s all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!