PortSwigger's "Unprotected admin functionality with unpredictable URL" Walkthrough

This is another quick writeup of an Apprentice-level access control lab from Portswigger Academy, this time with an “unpredictable” URL.

Before we get started, you’ll need a Portswigger Academy account. Log in and then view the lab at https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality-with-unpredictable-url. This is accessible from the “all labs” view.

Challenge Information

Click the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This will be in format https://<random string here>.web-security-academy.net/.

This challenge requires us to find an unprotected admin panel, this time in a non-obvious location, then delete Carlos’ account.

The website is our typical shopping site:

If we view the source code by right-clicking anywhere on the page and selecting View Source, there’s an interesting Javascript section:

This code would change the header links for an admin user by creating a new link element and setting it to a href value of /admin-p8lfpz.

Lab Solution

If we browse directly to https://<random-string>.web-security-academy.net/admin-p8lfpz, we’ve once again found the unprotected admin panel:

Delete the Carlos account, and the lab is solved!