On this page
Referer-Based Access Control
Lab
Referer-based access control · Apprentice
Solution
Given
This lab controls access to certain admin functionality based on the Referer header. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.
To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.
Analyzing the task
There's an admin panel with a privilege escalation function that uses the Referer header as data for access control. We're given creds to log into the admin panel, let's study how the privilege escalation function works. To solve, we need to escalate user wiener to administrator privileges.
Recon
Let's go look at the admin panel. A familiar privilege escalation form.
After clicking the privilege escalation button — the request:
GET /admin-roles?username=carlos&action=upgrade
Referer: https://0a2b00b703d010d680d8fd69008300f7.web-security-academy.net/admin
Okay, now log in as wiener and try to execute this request, just replacing the session with wiener's. Request GET /admin-roles?username=wiener&action=upgrade, Referer we take as in the admin's request.
Lab solved.
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.