PortSwigger's "Inconsistent security controls" Walkthrough

This is a writeup for the “inconsistent security controls” lab from PortSwigger Academy. For this walkthrough, you’ll need a Portswigger Academy account.

Log in to your Academy account and then view the lab at https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-inconsistent-security-controls. This is accessible from the “all labs” view or from the Business Logic Flaws page.

Challenge Information

Click the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This will be in format https://<random string here>.web-security-academy.net/.

Our goal for this lab is to find the admin interface and delete Carlos’ account.

If we open up the website and guess that the admin interface is at /admin, we see this message:

We aren’t given a set of credentials for this lab, so we’ll need to register a new account:

We could try a @dontwannacry.com account here, but we can’t login with it. That’s because there’s a confirmation email.

We have an assigned email client where we can receive these emails (follow the Email Client link in the Academy header):

If we want to receive an email, we’ll have to do so with our assigned email address:

Lab Solution

After registering, login with the credentials you provided (admin/peter in this case). Having a username of admin does not help us, but once we login, we’re able to change our email:

Change it to <username>@dontwannacry.com, and you should see an admin link appear:

Click this to go to the admin portal at /admin:

Then delete the user to complete the lab!

The reason this lab was called “inconsistent security controls” is because there’s a confirmation required for changing the email at registration, but not later on. This effectively makes the first confirmation requirement pointless.