Method-based access control can be circumvented

Introduction

So guys, how are you all? Today we are starting to write articles on access control vulnerabilities. This is our 11th article on access control vulnerabilities. In this article, we will cover the PortSwigger Web Security lab ‘Method-based access control can be circumvented.’ We will provide a complete step-by-step practical guide to help you understand it well.

Table of Contents

Lab Description For Method-based access control can be circumvented

This lab is vulnerable to a broken access control flaw. The admin panel credentials have already been provided, which are ‘administrator:admin.’ With these credentials, we can log into the admin panel. After logging in, we can modify user roles, for example, we can make Carlos an admin.

To exploit this flaw, we need to make Wiener’s account an admin.

First, we will access the lab.

Lab Solution

After accessing the lab, we will see something like this. Now we will enable Burp’s proxy to analyze all the traffic in the proxy’s HTTP history tab.

Next, we will click on ‘My Account’ and log in using the admin credentials.

After logging into the admin panel, you will see that we have the option to upgrade and downgrade users in the admin panel.

I simply upgraded Carlos’ account. You can view the request and response.

A POST-based request was generated in the HTTP history, named ‘/admin-roles.’ We will send that request to the Repeater tab. We have upgraded Carlos’ account. Now, we will log out and log in with the Wiener:peter account. We need to perform privilege escalation on Wiener’s account.

We will simply log in with Wiener’s account.

Once you logged in click on my account. A GET-based request will be generated. You can see it in the screenshot above.

Now, we will perform an important step. You can see the clear request from Wiener’s account in the screenshot. Copy the session cookie: ‘session=xyz.’

After copying, in the repeater tab where we sent the ‘admin-roles’ request, replace the session cookie with Wiener’s cookie.

Now, right-click on this request and choose ‘Change Request Method.’

The request will now be a GET request.

Change the username from Carlos to Wiener and forward the request. We have solved the PortSwigger Web Security lab, ‘Method-based access control can be circumvented.’

You can learn everything related to web security on our website. We do upload web security articles on daily basis.

To continue studying check out the next lab i.e. Multi-Step Process With No Access Control On One Step, cover the current lab before visiting the next lab. Good Luck!