You are currently viewing Unprotected admin functionality

Unprotected admin functionality


So, how are you all? Today, we are starting to write articles on access control vulnerabilities. This is our first article on access control vulnerabilities. In this article, we will cover the PortSwigger Web Security lab “Unprotected admin functionality” with complete step-by-step practicals to help you understand it better.

Lab Description Of Unprotected admin functionality

Unprotected admin functionality

As you can see, there is a flaw in the lab that allows us to directly access the admin panel without any restrictions. In this lab, we will access the admin panel and delete Carlos’ account.

Lab Solution

Unprotected admin functionality

1st access the lab.

After accessing the lab, read the “/robots.txt” file. You can see that “/administrator-panel” is disallowed in robots.txt. Now, let’s simply attempt to access “/administrator-panel” and see if it opens directly or not.

Unprotected admin functionality

So, there was no restriction on the admin panel, and we were able to access it without any restrictions.

Now, we will delete Carlos’ account to solve our lab.

After deleting Carlos’ account, our lab is successfully solved.

You can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.

In this article, we have successfully covered the PortSwigger Web Security lab “Unprotected admin functionality.”

To continue studying check out the next lab i.e. Unprotected Admin Functionality With Unpredictable URL, cover the current lab before visiting the next lab. Good Luck!

Don’t forget to follow me on Twitter @masaudsec

What is web security?

Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.

What is web application security?

Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.

Which of the following is a good security practice for web browsing?

It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.

How to find someone’s social security number on the dark web

Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.

Leave a Reply