Referer-based access control
We can login as the admin using the following credentials:
| Username | Password |
|---|---|
| administrator | admin |
Let's go to the admin panel and upgrade the carlos user.
Since we are proxying the traffic through Burp Suite, we can go to the Proxy > HTTP History tab to view the request.
Notice that the request contains the Refered header set to the following:
https://0ab4000404f019d8885f257200e0002f.web-security-academy.net/admin
That tells the server that the request is coming from the /admin page which can only be accessed by the administrator.
Let's forward this request to the Repeater for further modification.
Next, let's logout and login using the following credentials:
| Username | Password |
|---|---|
| wiener | peter |
We now have to replace the session cookie in the Repeater tab with the wiener user's session cookie and set the username parameter to the following:
wiener
Since we included the Referer header, the server upgraded our user.
Let's check in the browser.
We have solved the lab.