Showing 39 Result(s)

Portswigger: Referer-based access control Writeup

This lab controls access to certain admin functionality based on the Referer header. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin. To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator. Lab link. We log in to the admin panel, …

Portswigger: Insecure direct object references Writeup

This lab stores user chat logs directly on the server’s file system, and retrieves them using static URLs. Solve the lab by finding the password for the user carlos, and logging into their account. Lab link. The live chat section draws attention and if we press the “View transcript” button after making a few conversations, the …

Portswigger: User ID controlled by request parameter Writeup

This lab has a horizontal privilege escalation vulnerability on the user account page. To solve the lab, obtain the API key for the user carlos and submit it as the solution. You can log in to your own account using the following credentials: wiener:peter Lab link. We log in to the system with the login information provided. /my-account?id=wiener …

Portswigger: Method-based access control can be circumvented Writeup

This lab implements access controls based partly on the HTTP method of requests. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin. To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator. Lab link. We log in as admin and examine …