On this page
apsyleg1 min read
#portswigger #access-control #web-security
User Role Controlled by Request Parameter
Lab
User role controlled by request parameter · Apprentice
Solution
Given
This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.
Solve the lab by accessing the admin panel and using it to delete the user `carlos`.
You can log in to your own account using the following credentials: `wiener:peter`
Analyzing the task
The admin panel uses a simple check — it looks for a specific cookie. We need to get in and delete a user.
Recon
Let's log in and see what happens.
POST /login sets an interesting cookie:
Set-Cookie: Admin=false; Secure; HttpOnly
The obvious step — swap it for Admin=true. And indeed, the admin panel link appears.
We delete the user. Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.