Hackzzz - The Notebook

User role controlled by request parameter

https://portswigger.net/web-security/access-control/lab-user-role-controlled-by-request-parameter

Level: Apprentice

Now we need to get in some way into administrative panel but this time we will be exploiting a forgeable cookie.

Looking at the /admin directory and my cookies, we see that there is a cookie called Admin, and it has the value of False.
What happens if we change the admin cookie to true and try to access admins directory.

Voila! we magically access the /admin directory and delete user Carlos.

PreviousUnprotected admin functionality with unpredictable URL NextUser role can be modified in user profile

Last updated 1 year ago