Portswigger: URL-based access control can be circumvented Writeup
This website has an unauthenticated admin panel at /admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports the X-Original-URL header. To solve the lab, access the admin panel and delete the user carlos. Lab link. We try to access the /admin URL. …