Unprotected Admin Functionality – Lab Outline
This is a walk-through of a lab on the PortSwigger Web Security Academy site. It’s the first lab in the ‘Access Control’ section. The reading material can be found on this page and the lab can be found here.
As the lab outline states, the admin panel is unprotected. The objective, therefore, is to first find the admin panel. Then delete the user ‘carlos’. This lab does not require any additional tools to complete.
Steps Taken To Solve The Lab
My first step was to search for the admin page by adding /admin to the URL.
https://0a2d009e03c314448399555300dd00fc.web-security-academy.net/adminHowever, this resulted in a “Not Found” error. I remembered in the reading section that they mentioned a robots.txt file. The main purpose of this file is to tell the search engine crawlers which URLs the crawler can access on a site. As such, certain URL paths would be located in this file. I then changed the /admin to /robots.txt
https://0a2d009e03c314448399555300dd00fc.web-security-academy.net/robots.txtThis resulted in the location of the admin panel being shown.
I then updated the URL once more.
https://0a2d009e03c314448399555300dd00fc.web-security-academy.net/administrator-panelWhich lead me to the unprotected admin panel.
I deleted carlos and the lab was completed.
