Unprotected admin functionality

Introduction

Portswigger

Category: Access control vulnerabilities

Write-up date: 10/06/2025

Question: This lab has an unprotected admin panel. Solve the lab by deleting the user carlos.

Point: APPRENTICE

Searching common endpoint like robots.txt lead us to

User-agent: *
Disallow: /administrator-panel

Access /administrator-panel simply throw us the admin panel without authorize check.

Simply delete user carlos and done the lab.