| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Access Control (Unprotected Admin Functionality) |
| Difficulty | Apprentice |
| Objective | Delete the user carlos |
Unprotected Admin Functionality¶
Checking robots.txt:
web-security-academy.net/robots.txt
User-agent: *
Disallow: /administrator-panel
The Disallow line discloses the admin panel path directly. Going to:
web-security-academy.net/administrator-panel
We're logged straight into the admin panel — no auth check at all. Clicking delete on carlos:
And lab solved easy >..< This section it's very easy actually