| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Business Logic — Flawed State Machine, Login Workflow Bypass |
| Difficulty | Practitioner |
| Objective | Bypass authentication to access the admin interface and delete the user carlos |
Authentication Bypass via Flawed State Machine¶
Navigating to /admin required admin login. I logged in as wiener:peter:
Instead of landing on /my-account, the flow had an intermediate step — a role selector asking to choose between "user" or "content-author":
I tried submitting role=administrator directly:
No admin access — the role value itself wasn't the lever. The workflow assumes users always complete the role-selector step, but it's worth asking what happens when that step is skipped entirely rather than just submitting unexpected values in it. Testing workflow bypass by dropping intermediate steps is a distinct technique from testing what wrong values produce.
The login flow is: POST /login → GET /role-selector → POST /role-selector. Logging in again and dropping the GET /role-selector request at the intercept:
The role-selector step never completed — the session advanced without a role being assigned. Navigating to /admin:
Admin panel accessible. The server defaulted to an elevated state (or no role at all passing the admin check) when the role-selector step was never completed. The safe default when a workflow step is skipped should be the lowest-privilege state — here it's the highest.
Clicking delete on carlos:
And lab solved