PortSwigger - Method-based access control can be circumvented
# Method-based access control can be circumvented
## Task
This lab implements access controls based partly on the HTTP method of requests. You can familiarize yourself with the admin panel by logging in using the credentials `administrator:admin`.
To solve the lab, log in using the credentials `wiener:peter` and exploit the flawed access controls to promote yourself to become an administrator.
## Attempt
Log in as `administrator`. Upgrade carlos's privilege to admin and capture the request. You can see you can change the request method of it. I deleted a session cookie and changed it to GET but that didn't let me circumvent the access control. Error: "unauthorized".
Then I logged in as `wiener`. Grab his session cookie and used it. This time I was able to circumvent the access control.
## Thoughts
Just because you failed to break the access control without session cookie (=non authenticated user) it doesn't mean you can't do it with a lower privilege user.
Also in the case of this type of attack, error messages don't guarantee failure. Sometimes you actually succeed to update a database regardless of error messages or a redirection to a top page.