User Role Controlled By Request Parameter

---

Access Control

Lab #3: User Role Controlled By Request Parameter

Hola 👋 welcome back. This is the Lab 3# User Role Controlled By Request Parameter write-up of the Access Control labs on WebSec Academy. In this lab, we are access the admin panel and delete the user Carlos. Let’s get started, friends!

---

End Goal :#

• Locating and accessing the admin panel via forgeable cookies.
• And using it to delete the user carlos.

---

Testing For Vulnerabilities:

• Using Burp Suite, send the main page request to the Repeater tab to test for unprotected functionality to access the administrative functions. Browsing to the relevant admin URL, in this case, specifying /admin as the path, results in a 401 error, indicating “unauthorized.”

• Let’s log in to our own account using the following credentials: wiener:peter. We’ll use the proxy tab and turn on the intercept to modify a request. Let’s see 👀.

• We can see that we are using the POST method (sending data to the server). We can send the request to the Repeater tab and modify it more effectively there.
• Modify the request by changing the path to “/admin” and setting the cookie header value of “admin” from fasle ( admin=fasle indicates that the user associated with the cookie is not an administrator.) to true. And use the session to acces the admin panel. Sending this request should take us to the admin panel. Bingo 😂

• Checking the response source, we can identify the path to delete the user “Carlos.” Upon following the redirection, we can proceed to delete the user “Carlos” and successfully complete the labs.

And we complete our goal by accessing the admin panel and deleting the user “Carlos”.

That’s all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!

Go Back Home