| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Access Control (Unprotected Admin Functionality, Unpredictable URL) |
| Difficulty | Apprentice |
| Objective | Access the admin panel and delete the user carlos |
Unprotected Admin Functionality with Unpredictable URL¶
Checking robots.txt:
web-security-academy.net/robots.txt
Not found this time — no easy disclosure there. Looking at the page source instead:
var isAdmin = false;
if (isAdmin) {
var topLinksTag = document.getElementsByClassName("top-links")[0];
var adminPanelTag = document.createElement('a');
adminPanelTag.setAttribute('href', '/admin-35xf4u');
adminPanelTag.innerText = 'Admin panel';
topLinksTag.append(adminPanelTag);
var pTag = document.createElement('p');
pTag.innerText = '|';
topLinksTag.appendChild(pTag);
}
isAdmin is false for us, so this block never runs, but the script itself — including the hardcoded /admin-35xf4u path — still ships to every user regardless. An unpredictable URL isn't access control — it's obscurity. The path was never meant to be guessed, it just leaked through client-side JS that ships to every user. Conditional UI logic (if (isAdmin) { ... }) only hides the link, not the code containing the URL — the whole script is visible in the page source regardless of role.
Going directly to:
web-security-academy.net/admin-35xf4u
We land in the admin panel. Deleting carlos:
and lab solved