Access Control Vulnerabilities

Refer for theory: https://portswigger.net/web-security/access-control

Vulnerability labs (Apprentice):

1. Unprotected admin functionality.

This lab has an unprotected admin panel.
Solve the lab by deleting the user, Carlos.

Solution:
o The goal of this lab is to find the admin panel.

o In the URL, append the following code:

/robots.txt
o This will redirect to a different site where some information about the admin panel will
be given.
o By analyzing the above information, we can try to append /administrator-panel to
the URL to check out the possibility of admin panel being accessed.
o Enter the URL and you will see that the admin panel has appeared.

o Delete the account Carlos and your lab will be completed.

 2. Unprotected admin functionality with unpredictable URL.
This lab has an unprotected admin panel. It's located at an unpredictable location, but the
location is disclosed somewhere in the application.
Solve the lab by accessing the admin panel, and using it to delete the user, Carlos.

Solution:
o Once the lab is accessed, turn on the proxy and keep intercept on in the burp suite.
o Refresh the page and when the warning is received, click on accept the risk and
continue to give the burp suite the necessary privileges.

o Click on the home button and you will see that the packets will start getting captured
on the burp suite.
o In your burp suite send the packets to the burp repeater by right clicking on the packet
and selecting the option send to repeater.
o The burp repeater can be thought of like a playground. You can test out different
requests and analyze the predicted responses that may be received from the server.

o Open the repeater and you’ll see that the packet is present there. Click on send to
view the predicted response from the server.
o You will notice a HTML code will be shown. You need to analyze this code to find a
script in which there will be a URL tag of the admin panel.

o Once you find the specifics, copy it. You can close the intercept and proxy on the
browser now.
o Append the copied code to the URL.
o Submit the URL and you will notice that the admin panel will be opened.

o Refresh the browser and your lab should be solved.

 3. User role controlled by request parameter.
This lab has an admin panel at /admin, which identifies administrators using a forgeable
cookie.
Solve the lab by accessing the admin panel and using it to delete the user, Carlos.
You can log in to your own account using the following credentials: wiener: peter
Solution:
o Once you access the lab, you will see my account option on the right side of the screen.
Click on it.

o You will see that a login form will appear. At this step turn on your foxy proxy and
turn on the intercept on the burp suite.
o Enter your credentials that are given in the problem statement and click on log in.

o As burp suite is on, all the request packets will be captured on the tool. Notice that
almost every packet hence forth will have an admin parameter in it. You need to
analyze each and every packet so that you do not miss this parameter.
o This parameter is what defines whether to give the user admin privileges or not.
o You will need to change the value of admin in every packet from false to true.
o You may analyze and see that the admin parameter may be located at different
locations in the packet hence make sure the analysis is done properly.
o You will notice that once the changes have been made and the packets have been
forwarded, you will find an admin panel on my account page of wiener.
o Once you click on it you will again have to forward all the packets after making the
change of admin parameter from false to true.
o After forwarding all the packets you will see that you are given the privileges to
delete the users accounts.
o Go ahead and delete the Carlos account.
o You will again have to change the value of admin in each packet until all packets have
been forwarded.
o Close foxy proxy and refresh the page and you’ll see that the lab has been solved.
 4. User role can be modified in user profile.
This lab has an admin panel at /admin. It's only accessible to logged-in users with a roleid of
2.
Solve the lab by accessing the admin panel and using it to delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter.
Solution:
o Once you access the lab click on the my account option on the right side.

o You will be redirected to a login form. Turn on your foxy proxy and intercept on in the
burpsuite.
o Enter the credentials given in the problem statement and click on login. You will be at
the account page.

o Type a random email address in the text field and click on update email.
o Open your burpsuite and analyze the packets. You will see that there is a JSON part
in the request on one of the packets. Send that packet to the repeater.

o Once you send the packet to the repeater, click on send and analyze the response.
 o The response will contain several parameters, one of them being a roleid.
o You need to change the value of roleid from 1 to 2.
o On the request side type the following in the JSON part:
“roleid”:2

o Analyze the response and see that the parameter value has changed.
o Go to the proxy tab and make the similar changes in the packet and forward the
packets.
o Open the browser ad youll notice that there is an admin panel present now. Click on
the admin panel and delete carlos.
o Once the account is deleted, your lab will be solved.
 5. User ID controlled by request parameter, with unpredictable user IDs.
This lab has a horizontal privilege escalation vulnerability on the user account page, but
identifies users with GUIDs.
To solve the lab, find the GUID for Carlos, then submit his API key as the solution.
You can log in to your own account using the following credentials: wiener: peter.
Solution:
o This lab contains that is related to blogs. You need to go through every blog to see
which blog has Carlos has the author.

o Once you find a blog who’s author is Carlos, click on the author’s name.
o Alanyze the URL next. You will see that it contains the user id of Carlos.
o Copy the userid and save it for future use.

o Click on my account and enable foxy proxy and intercept on the burp suite.
o Enter your credentials and login. You’ll then be on your account page.

o Click on my account option and open burp suite to analyze the packet.
o You will notice that the packet will contain a parameter named id which will contain the
value referring to wiener’s account.
o You’ll need to change the value of id to Carlos’s id that we copied from the URL.
o Once you forward all the packets, youll notice that youll be logged in as Carlos.
o Copy the API key then and paste it in the solution. Your lab will be solved.
The rest of the labs of this topic have similar method to complete the lab. Practice the burp
repeater to understand further concepts.