Unprotected admin functionality
Task
Navigate to the webpage,
So, thereâs an unprotected admin panel, so to solve this lab we have to delete the user carlos.
Alright, whenever I am checking out a webpage one of the directories I check before trying anything else is robots.txt. The directory at times may contain some juicy details hehe
Navigating to the /robots.txt directory you should see this
We found the directory where the administrator panel is located. Navigating to that directory
Lets go ahead and delete carlos account
We have successfully solved this labđ
Unprotected admin functionality with unpredictable URL
Task
Navigate to the webpage,
Just like we did in the previous example. Lets check the robots.txt directory
Not found hehe
In the task description, we were told that the location is disclosed somewhere in the application.
Checking the source page,
We found our admin panel hehe
Navigating to that directory,
Cool, now lets delete user carlos account
We have successfully solved this lab
User role controlled by request parameter
Task
Navigate to the webpage,
In the task description we were told that the admin panel is at /admin. Navigating to that directory
This is saying we have to be logged in as the administrator user. But we currently donât have the credentials for the admin user.
But we were given the creds for user wiener. Navigate to the /login and login with this creds
Now, navigate to the /admin directory and capture this request on burpsuite
Weâll be changing the cookie Admin=false to Admin=true
Forwarding the request should give us the admin panel
Now, lets delete user carlos account
We have successfully completed this lab.
User role can be modified in user profile
Task
Navigate to the webpage,
We were given the creds for user wiener. Lets try to login with this
Cool, we are logged in.
Our focus will be on the âupdate emailâ function. Weâll try to provide an email then weâll capture this request on burpsuite and send it over to burp repeater
Take a look at the roleid. From the task description, we were told that the admin user has a roleid of 2.
Now, weâll be changing the roleid of user wiener to 2. You can edit your request to this
Following the redirection,
Checking the response in browser, you should have this
Lets go ahead and delete user carlos account
We have succesfully solved this lab
User ID controlled by request parameter
Task
Navigate to the webpage
We were given creds for user wiener, lets login
Alright, so in the task description we are asked to retrieve the api key for user carlos
Taking a look at the url you have something like this /my-account?id=wiener. One thing we can do to retrieve the api key for user carlos is changing the id parameter.
So, weâll have something like this /my-account?id=carlos
Submiting the api key
We have successfully completed this lab.
User ID controlled by request parameter, with unpredictable user IDs
Task
Navigate to the webpage,
Lets login as user wiener since we were given the creds
Take a look at the url, youâll see something like this /my-account?id=0e05390c-3df5-4a4d-ae21-b65b38a7c19b. We can see the GUID(Globally Unique Identifier) of user wiener.
Our task is to find the GUID for user carlos and then apply it
Reading the posts you should be able to see the user that posted it. For example
Clicking on administrator provides us with the GUID for the user and the blog posts posted by the user
The url should have something like this blogs?userId=5bd25b61-de54-4f06-9667-5c01e9966aee
All we have to do now is to look for a blog post that was posted by user carlos
Found one, clicking on carlos should get us the GUID of the user and the blog posts posted by the user
The GUID should be located in the url /blogs?userId=6dfd4608-7537-4092-bfcf-ea3c4886716a.
Applying that GUID for the url /my-account?id=0e05390c-3df5-4a4d-ae21-b65b38a7c19b. So the new url should have the GUID of user carlos, something like this /my-account?id=6dfd4608-7537-4092-bfcf-ea3c4886716a
We found the API key, submitting the key
We have successfully solved this lab
User ID controlled by request parameter with data leakage in redirect
Task
Navigate to the webpage,
Logging in as user wiener
So, our task is to get the api key for user carlos
To solve this lab what weâll do is capture the request using burpsuite when we try to login.
Logging out and logging in again (this time weâll capture the request using burpsuite)
Forwarding the request
Sending this over to burp repeater
Now, lets change the id from wiener to carlos
We got a redirect, before following the redirection lets scroll down the response a little
The API key was in the redirect. Submitting the key
We have successfully solved this lab
User ID controlled by request parameter with password disclosure
Task
Navigate to the webpage,
Since we have the creds for user wiener lets login
From the above screenshot, you can see that we have the update password button. Without changing the password, lets capture the request on burpsuite
You can see that the password is in plaintext form.
To get the password for the administrator user,
click on that, capture the request on burpsuite and then send it to burp repeater
Weâll be changing the id parameter from wiener to administrator to see what happens
Scrolling down the response you should see this
We have the password for the administrator user hehe.
Lets login
We are logged in
Deleting user carlos account
We have successfully completed this labđ
Insecure direct object references
Task
From the task description user chat logs are stored directly on the serverâs file system and can be retrieved using static urls.
Navigate to the webpage,
Lets try to send a message,
That was the message I sent. Click on âView transcriptâ and see what happens
âââ(bl4ck4nonăżbl4ck4non)-[~/Downloads/portswigger]
ââ$ cat 2.txt
CONNECTED: -- Now chatting with Hal Pline --<br/>You: vawulence is good for the body<br/>Hal Pline: I heard the other half talking earlier. Someone needs to shape up
Ohh, so it just downloads the conversations we had with it and then goes ahead to name it. In this case the name of the converstation is 2.txt
Letâs send another conversation and see what happens when we try to view transcript
Trying to view the transcipt
âââ(bl4ck4nonăżbl4ck4non)-[~/Downloads/portswigger]
ââ$ cat 3.txt
You: vawulence is good for the body<br/>Hal Pline: I heard the other half talking earlier. Someone needs to shape up<br/>CONNECTED: -- Now chatting with Hal Pline --<br/>You: vawulence is good for the body<br/>Hal Pline: Why would you want to know something like that?
This was saved as 3.txt. This means without even sending a message we can try to download the transcipts from 0.txt. After checking for a while the one that stood out was 1.txt.
So, what youâll do when viewing the transcript is change the number to 1
At this point, lets invite burpsuite to this partyđ
What weâll do now is try to view the transcript, but this time weâll capture the request using burpsuite
Forward the request,
Send it over to burp repeater
Changing the 4.txt to 1.txt should show us the message where the password is stored
We found the password hehe
Lets login
We have successfully completed this lab
URL-based access control can be circumvented
Task
Navigate to the webpage,
Clicking on âAdmin panelâ, you should get this
We got the âAccess deniedâ error. This means we arenât privileged to access the admin panel.
Letâs click on âAdmin panelâ again, but this time weâll capture the request on burpsuite and send it over to burp repeater
One way we can solve this is by using the HTTP request header X-Original-URL, this is a request header that is sometimes used to provide information about the original URL or resource that a request was intended for.
Weâll be using this header with a POST request. Since the /admin directory is the one we canât view, our request will look like this
Sending the request
cool, we got a status of OK. Checking the response in our browser
Cool, we can view the admin panel, but when we try to delete user carlos account we get the access denied error.
Take a look at the url youâll see something like this /admin/delete?username=carlos.
So, what weâll do now is that weâll add /admin/delete to the request header X-Original-URL, also add the paramater ?username=carlos to the header.
The request will look like this
Now, lets follow the redirection
Got this, checking the webpage
We have successfully solved this lab
Method-based access control can be circumvented
Task
Navigate to the webpage,
Creds for user administrator was given, we are to login as the user to familiarize ourselves with the admin panel.
Logging in as the administrator user,
Letâs try to upgrade the user carlos, weâll observe how this is done by using burpsuite
Following the redirection,
We were able to upgrade the user.
Now, lets open another browser and login as user wiener, this time weâll try to promote ourselves to become an administrator
Weâll try to upgrade user carlos with user wiener account.
Capture this request on burpsuite, what we need is the session cookie for user wiener
Lets replace the adminâs session cookie to user wiener session cookie when it tries to upgrade user carlos so as to see what happens
Replacing the session cookie,
oops, we got the âUnauthorizedâ error.
One thing we can try to do is tweak with the POST method. What happens if we change it to something like POSTV
oops, a bad request having âMissing parameter âusernameââ error.
All hope isnât lost hehe, lets right-click and change the request method to GET, before this change the username to wiener since thatâs who we are trying to upgrade
Good, following redirection
hehehe, we were able to upgrade the user
Checking the webpage
We have successfully completed this lab
Multi-step process with no access control on one step
Task
Navigate to the webpage,
Creds for user administrator was given, we are to login as the user to familiarize ourselves with the admin panel.
Lets go ahead and login as the administrator user,
Weâll try to upgrade the user carlos, weâll observe how this process is done by using burpsuite
Forward the request,
Forward this too,
Checking the browser youâll see this prompt
This is more like a multi-authentication process. Click on yes and check how the request is being captured on burpsuite
Forward the request,
Cool, we have successfully upgraded the user
Now, lets open another browser and login as user wiener, this time weâll try to promote ourselves to become an administrator
Weâll try to upgrade user carlos with user wiener account.
Capture this request on burpsuite, what we need is the session cookie for user wiener
Using the confirmation HTTP request, lets replace the adminâs session cookie to user wiener session cookie when it tries to upgrade user carlos so as to see what happens. Also, change the username from carlos to wiener since thatâs the user we are trying to promote
Following the redirection
cool stuff, we were able to promote the userđ
Checking the webpage,
We have successfully solved this lab
Referer-based access control
Task
Navigate to the webpage,
Lets familiarize ourselves with the admin panel by logging in as the administrator user
Lets promote the user carlos. Weâll fire-up burpsuite to help us intercept the request so that way we know how the promotion is being done
Forward this request,
Forward this too,
User has been promoted successfully.
Now, lets try to promote user wiener.
First, we have to login
We need the session cookie for this user, to get that we can just reload the page and capture the request using burpsuite
Thatâs the session cookie we need, so we can try replacing the adminâs session cookie we got from the upgrade request with this. Weâll also change the username from carlos to wiener since thatâs the user we are trying to promote
Following the redirection
We were able to successfully promote the user
Checking the webpage
We have successfully solved this labđ
Till Next Time :xD