PortSwigger: Referer-based access control
Task
This lab controls access to certain admin functionality based on the Referer header. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.
To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.
Attempt
Log in as administrator and capture the request that upgrades a user privilege. Log out and change the session cookie to wiener’s. Change the username parameter to wiener and sent a request.
Thoughts
In this lab you’re supposed to change the Referer header containing /admin yourself, but since the request has it without any modification, just changing the username parameter solves the lab.
But make sure to understand the point is the website uses Referer header for access control and you can circumvent it using a domain containing a path you can reach after getting authorized.