Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the ultimate-blocks domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/margheri/public_html/wp-includes/functions.php on line 6121

Notice: _load_textdomain_just_in_time işlevi yanlış çağrıldı. Translation loading for the perfect-portfolio domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Ayrıntılı bilgi almak için lütfen WordPress hata ayıklama bölümüne bakın. (Bu ileti 6.7.0 sürümünde eklendi.) in /home/margheri/public_html/wp-includes/functions.php on line 6121
Portswigger: User role controlled by request parameter Writeup - Aleyna Doğan

Portswigger: User role controlled by request parameter Writeup

Lab link.

This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.

Solve the lab by accessing the admin panel and using it to delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

We log in to the account using the user credentials provided. If we pay attention to the URL part, we see the “id=wiener” parameter.

If we make the id parameter admin in the URL, we display that we cannot access

If we examine the requests, we see that the admin value in the cookie is false.

We set the admin value to true.

We change the cookie value in the GET /admin request and try to delete the user carlos.

This time we need to change the cookie value in the GET /admin/delete?username=carlos request.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir