Categoría: Access control

Referer-based access control

Descripción This lab controls access to certain admin functionality based on the Referer header. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin. To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator. Referer-based access control writeup Este laboratorio […]

Multi-step process with no access control on one step

Descripción This lab has an admin panel with a flawed multi-step process for changing a user’s role. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin. To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator. Multi-step process with […]

Method-based access control can be circumvented

Descripción This lab implements access controls based partly on the HTTP method of requests. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin. To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator. Method-based access control can be circumvented […]

URL-based access control can be circumvented

Descripción This website has an unauthenticated admin panel at /admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports the X-Original-URL header. To solve the lab, access the admin panel and delete the user carlos. URL-based access control can be circumvented writeup Entraremos […]

Insecure direct object references

Descripción This lab stores user chat logs directly on the server’s file system, and retrieves them using static URLs. Solve the lab by finding the password for the user carlos, and logging into their account. Insecure direct object references writeup Entramos al laboratorio y vemos que tiene una opción de ‘Live chat’. Al entrar en él, […]

User ID controlled by request parameter with password disclosure

Descripción This lab has user account page that contains the current user’s existing password, prefilled in a masked input. To solve the lab, retrieve the administrator’s password, then use it to delete the user carlos. You can log in to your own account using the following credentials: wiener:peter User ID controlled by request parameter with password disclosure […]

User ID controlled by request parameter with data leakage in redirect

Descripción This lab contains an access control vulnerability where sensitive information is leaked in the body of a redirect response. To solve the lab, obtain the API key for the user carlos and submit it as the solution. You can log in to your own account using the following credentials: wiener:peter User ID controlled by request parameter with […]

User ID controlled by request parameter, with unpredictable user IDs

Descripción This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs. To solve the lab, find the GUID for carlos, then submit his API key as the solution. You can log in to your own account using the following credentials: wiener:peter User ID controlled by request parameter, with unpredictable […]

User ID controlled by request parameter

Descripción This lab has a horizontal privilege escalation vulnerability on the user account page. To solve the lab, obtain the API key for the user carlos and submit it as the solution. You can log in to your own account using the following credentials: wiener:peter User ID controlled by request parameter writeup Al entrar en la página web […]

User role can be modified in user profile

Descripción This lab has an admin panel at /admin. It’s only accessible to logged-in users with a roleid of 2. Solve the lab by accessing the admin panel and using it to delete the user carlos. You can log in to your own account using the following credentials: wiener:peter User role can be modified in user profile writeup Al entrar […]