Inconsistent security controls

Introduction

Hello everyone, this is our 4th article focusing on business logic flaws. In this article, we will cover the lab “Inconsistent Security Controls” from PortSwigger Web Security. We will provide you with step-by-step practical guidance on how to solve this lab.

Table of Contents

Lab Description Of Inconsistent Security Controls

This lab contains a business logic flaw. There is an administrative functionality within the lab that is intended only for company employees. However, due to a flaw, an attacker can gain unauthorized access. To solve this lab, you need to navigate to the admin panel and delete the user “Carlos”.

Lab Solution

First, access the lab.

Once you have accessed the lab, open your Burp Suite and enable the proxy. Then, reload the lab. Go to the Target tab and navigate to the sitemap. Right-click on the lab’s domain, click on “Engagement Tools,” and then select “Discover Content.” The Content Discovery tool will open. Click on “Session not running” to start the content discovery process. Wait for a while, and you will discover a page named “/admin.” You can also check the sitemap for this page.

As you can see clearly, I have found an unauthorized admin page in the sitemap.

When I tried accessing “/admin” in the browser, I received an error message saying, “Admin interface only available if logged in as a DontWannaCry user.”

Now, you can see that I am on the registration page. Here, I will create an account that will make the server believe that I am an internal user within this company.

First, I will create a simple account so that I can log in later.

I have entered my details here.

I have provided the email “attacker@exploit-0aa200120450fad6811e474f01370038.exploit-server.net” and the password.

Now, I need to verify my account by accessing the email client, which is available in the lab.

I have received the email, and I have verified my account.

So, I clicked on “My Account” and logged into my account.

Now, I need to obtain admin privileges. Only employees with the “@DontWannaCry.com” email domain can have these privileges. So, I will update my email to “admin@DontWannaCry.com“.

I am currently updating it to “admin@DontWannaCry.com“.

As you can see, I have gained access to the admin interface, and now I can delete the “Carlos” account.

After clicking on the admin panel, I successfully deleted the “Carlos” account, and the lab is now solved.

So, as you can see, we have successfully solved the “Inconsistent Security Controls” lab from PortSwigger’s web security.

You can also follow us on Twitter @masaudsec.

To continue studying check out the next lab i.e. Flawed Enforcement Of Business Rules, cover the current lab before visiting the next lab. Good Luck!