Skip to main content

URL-based access control can be circumvented

1

Let's try to access the admin panel.

2

Since we are proxying the traffic through Burp Suite, we can go to Proxy > HTTP History to view the request.

3

Let's forward the request to the Repeater for further modification.

Once inside the Repeater, set the request URI to:

/

and add the following request header:

X-Original-URL: /admin

This header overrides the URI present in the original request.

4

In order to delete the carlos user, we have to set the original URL to:

/?username=carlos

And then we have to modify the header to the following:

X-Original-Url: /admin/delete

5

Let's go and check the panel through the browser.

6

We have solved the lab.

7