PortSwigger's "Unprotected admin functionality" Walkthrough

This is a super brief writeup of the first Apprentice-level access control lab from Portswigger Academy.

Before we get started, you’ll need a Portswigger Academy account. Log in and then view the lab at https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality. This is accessible from the “all labs” view.

Challenge Information

Click the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This will be in format https://<random string here>.web-security-academy.net/.

This challenge requires us to find an unprotected admin panel, then delete Carlos’ account.

The website is our typical shopping site:

There’s nothing interesting in the page source. If we look at robots.txt, there’s an entry relevant to our interests:

If we browse to https://<random-string>.web-security-academy.net/administrator-panel, we realize that we’ve found the unprotected admin panel:

All that’s left to do is delete Carlos’ account, and we’ve solved the lab!

This might seem unrealistic but simple mistakes like not securing admin interfaces (especially default ones) does occur.