[This lab](https://portswigger.net/web-security/access-control/lab-referer-based-access-control) demonstrates a flawed access control mechanism where privileged operations (like promoting a user) are protected **only by inspecting the `Referer` header**. Since HTTP headers — especially `Referer` — are **fully client-controlled**, this is an insecure practice and can be trivially bypassed. ##### Step-by-Step Exploitation ###### 1. Log in as Administrator (Recon Phase) Use the provided credentials: ``` Username: administrator Password: admin ``` --- ###### 2. Trigger Role Promotion Request Navigate to the admin panel and promote a user (e.g., `carlos`). Intercept the request. It should look like: ```http GET /admin-roles?username=carlos&action=upgrade HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Referer: https://YOUR-LAB-ID.web-security-academy.net/admin Cookie: session=ADMIN-SESSION ``` Send this request to **Burp Repeater** for reuse. --- ###### 3. Switch to Non-Admin Session - Open an incognito/private browser window - Log in as the low-privilege user: ``` Username: wiener Password: peter ``` - Copy the new session cookie from this login --- ###### 4. Modify and Replay Request in Burp In the Repeater request: - Replace the session cookie with **wiener’s** - Change the `username` parameter to `wiener`: ```http GET /admin-roles?username=wiener&action=upgrade HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Referer: https://YOUR-LAB-ID.web-security-academy.net/admin Cookie: session=LOW-PRIVILEGE-SESSION ``` Send the request. ✅ If successful, the response will confirm your user has been promoted to admin. --- ###### 5. Confirm and Delete Carlos Now that you are an admin, visit `/admin`, and delete the user `carlos` to solve the lab. --- ##### Why It Works - The application **relies on the `Referer` header** to determine if a request comes from a legitimate admin page - Since `Referer` is a **client-controlled HTTP header**, it can be spoofed using tools like Burp Suite - The backend does **not validate the user's role**, only where the request "came from" --- ##### Real-World Examples - Web apps that use `Referer` to authorize admin tools, password reset flows, or CSRF protection - Security mechanisms that depend on browser headers (spoofable in API clients or proxies)