4.6.web user role controlled by request parameter(Web Security Academy)

Web Security Academy >> Access control >> Lab

Well, I checked the robots.txt file, and also the code for the site, and also guessed the hidden directory, but in the end I did not find anything, so we will use burpĀ , But in the end we must access the admin panel ŲŸŲŸ

So we tried adding /admin. We might achieve something, but:

First of all, you must log in using ā€œ wiener:peter ā€.

But I found the message ā€œAdmin interface is only available if you are logged in as administratorā€

I will run intercept in burpĀ , I will try again, adding admin again and narrating the request and it is going to the serverĀ :

This series contains two cookies:

ā€œAdmin=falseā€: This cookie indicates that the current user is not a system administrator. A value of ā€œfalseā€ indicates that he is not a manager.\ Ā ā€œsession=0dl420TfDQJuY2vIiMv6ZCC8W0z2wPAsā€: This cookie is used to set the userā€™s session. This cookie is supposed to contain a session identifier that is used to identify the user and allow them to access appropriate content in the application.

So, if we change the value of ā€œfalseā€ to ā€œtrueā€, will it then make me go to the admin panel? Letā€™s try.

Cookie: Admin=false; session=0dl420TfDQJuY2vIiMv6ZCC8W0z2wPAs

We have already changed the value and it has already entered the admin panelĀ :

Cookie: Admin=true; session=0dl420TfDQJuY2vIiMv6ZCC8W0z2wPAs

Well, we have already reached the admin panelĀ :

But I ran into a problem when I deleted the user Carlos. He refused to do so. It seems that he checks the cookies on every request the user makes for thatĀ , We will do the followingĀ :

You will open the proxy settingsĀ .

After that, go to match and replace rulesĀ , You will add a new part as followsĀ :

After this point and adding it from the burp, the curator will enable you to delete the user without stopping the request and modifying it:

See you soon in other reportsā€¦.!!

Abdelwahab_Shandy

AS_Cyber