[This lab](https://portswigger.net/web-security/access-control/lab-referer-based-access-control) demonstrates a flawed access control mechanism where privileged operations (like promoting a user) are protected **only by inspecting the `Referer` header**. Since HTTP headers — especially `Referer` — are **fully client-controlled**, this is an insecure practice and can be trivially bypassed.
##### Step-by-Step Exploitation
###### 1. Log in as Administrator (Recon Phase)
Use the provided credentials:
```
Username: administrator
Password: admin
```
---
###### 2. Trigger Role Promotion Request
Navigate to the admin panel and promote a user (e.g., `carlos`). Intercept the request.
It should look like:
```http
GET /admin-roles?username=carlos&action=upgrade HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Referer: https://YOUR-LAB-ID.web-security-academy.net/admin
Cookie: session=ADMIN-SESSION
```
Send this request to **Burp Repeater** for reuse.
---
###### 3. Switch to Non-Admin Session
- Open an incognito/private browser window
- Log in as the low-privilege user:
```
Username: wiener
Password: peter
```
- Copy the new session cookie from this login
---
###### 4. Modify and Replay Request in Burp
In the Repeater request:
- Replace the session cookie with **wiener’s**
- Change the `username` parameter to `wiener`:
```http
GET /admin-roles?username=wiener&action=upgrade HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Referer: https://YOUR-LAB-ID.web-security-academy.net/admin
Cookie: session=LOW-PRIVILEGE-SESSION
```
Send the request.
✅ If successful, the response will confirm your user has been promoted to admin.
---
###### 5. Confirm and Delete Carlos
Now that you are an admin, visit `/admin`, and delete the user `carlos` to solve the lab.
---
##### Why It Works
- The application **relies on the `Referer` header** to determine if a request comes from a legitimate admin page
- Since `Referer` is a **client-controlled HTTP header**, it can be spoofed using tools like Burp Suite
- The backend does **not validate the user's role**, only where the request "came from"
---
##### Real-World Examples
- Web apps that use `Referer` to authorize admin tools, password reset flows, or CSRF protection
- Security mechanisms that depend on browser headers (spoofable in API clients or proxies)