You are currently viewing Multi-step process with no access control on one step

Multi-step process with no access control on one step

Introduction

So, how are you all? Today we are starting to write articles on access control vulnerabilities. This is our 12th article on access control vulnerabilities. In this article, we will cover the Multi-step process with no access control on one-step lab from PortSwigger Web Security. In this article, we will perform the complete step-by-step practical to help you understand it well.

Lab Description For Multi-step process with no access control on one step

This lab has an admin panel with flaws in its multi-step process. To understand the application properly, you have been provided with the admin’s credentials. Administrator: admin. You can log in using these credentials to view the admin panel and get an idea of how it works. To solve the lab, we need to make Wiener’s account an admin using this flaw. Wiener’s credentials have already been provided: wiener:peter.

Lab Solution

Multi-step process with no access control on one step

First, access the lab and log in with the admin credentials by clicking on “My Account” and using the admin’s credentials. Before logging in, make sure to enable your Burp Proxy so that you can analyze the traffic in the HTTP history.

After logging in, when you click on the Admin panel, you will see an interface similar to the screenshot above.

Multi-step process with no access control on one step

You can see that when I tried to upgrade the user “Carlos,” it asked me again if I really want to upgrade this user. This process is called a Multi-step process, and this is where the flaw exists that we will exploit.

You can see that we have generated two requests for /admin-roles. The first request has a 200 response, and the second request has a 302 response, asking if you are sure to make this user an admin. We clicked “yes” on that request.

Now, send both of these requests to the repeater tab for testing. Remember, the request with the 302 response is the one through which we will exploit this bug.

You can learn everything related to web security on our website. We upload the latest articles on web security topics daily, so stay with us.

Multi-step process with no access control on one step

Now, go back to your browser. After going back to the browser, log in to your account as Wiener. Open the inspect tool, click on the application tab, and copy your account’s cookie. You can also use a cookie editor extension for this.

Now, you can see that I have put that cookie in the request that had a 200 OK response and the repeater tab. This request is saying that you are performing an unauthorized action.

Multi-step process with no access control on one step

Now, see that when I put my cookie in the second repeater request, which had a 302 response, I was able to successfully execute it.

At the end of this request, you will see Carlos’ name, which you need to change to Wiener because we are upgrading Wiener.

Multi-step process with no access control on one step

You can see that we have successfully solved the PortSwigger Web Security lab “Multi-step process with no access control on one step.”

To continue studying check out the next lab i.e. Referer-Based Access Controle, cover the current lab before visiting the next lab. Good Luck!

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply