User Role Controlled by Request Parameter – Lab Outline
This is a walk-through of a lab on the PortSwigger Web Security Academy site. It’s the third lab in the ‘Access Control’ section. The reading material can be found on this page and the lab can be found here.
In this lab, the admin panel is protected. However, as the lab mentions, the authorization method is in the form of a cookie, which can be manipulated. The objective in this lab is to first manipulate the cookie. Then gain access to the admin panel and delete the user ‘carlos’. For this lab, I will use a tool called Burpsuite.
How The Lab Was Solved
First I checked the admin panel by adding /admin to the URL. This resulted in a ‘Not Found’ page. I went to the login page of the lab and input the credentials given in the lab outline: wiener:peter
Failed Attempts
After signing in I noticed that the URL was appended with /my-account?id=viewer. Forgetting that the lab outline mentioned a forgeable cookie, I got to work trying to edit the URL. I tried edits like /my-account?id=admin, /my-account?id=0 and a few others. Of course, all of these failed. Then I started focusing on the cookie.
Successful Attempt
I signed out of the wiener account in the lab. Then I opened Bursuite and turned on intercept (other steps were necessary to connect the browser through the Burp proxy but that’s outside the scope of this walk-through). Adding the lab’s URL to the scope in the target section of Burpsuite would help with this process.
I input the credentials again and pressed enter. Burpsuite intercepted the traffic showing the cookie that needed to be edited. I edited the cookie then forwarded the traffic and turned intercept off. When I checked the /admin page again it stilled failed. However, I instantly had an idea what the problem was. Editing the cookie wasn’t necessary at login. It was necessary when going to the admin panel.
With this in mind, I turned intercept on again and returned to the /admin page. The forgeable cookie showed up again.
I then changed the parameter from Admin=false to Admin=true and forwarded the traffic. This needed to be done a few times. When deleting ‘carlos’ this also needed to be done. After ‘carlos’ is deleted the lab is completed.
