Skip to main content

🗂️PortSwigger Lab Writeup: Method-Based Access Control can be Circumvented

PortSwigger lab banner: Method-based access control can be circumvented

🎯 Objective

The objective of this lab is to exploit a broken access control where the app has an admin panel which implements access controls based partly on the HTTP method of requests. The goal is to find a flawed access controls and exploit it to promote yourself to become an administrator.

  • Lab URL: https://portswigger.net/web-security/access-control/lab-method-based-access-control-can-be-circumvented
  • Category: Access Control
  • Difficulty: Practitioner

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Shopping website homepage displaying product listings and navigation
    Login page interface with username and password fields
  • At first glance, the website seems to be a shopping website with a login page. In the lab description, it is mentioned that we need to promote user wiener to administrator by exploiting any flawed access control.

📝Step 2: Try Accessing Admin Panel

  • Click on Admin Panel and see the normal response. Access denied page when clicking Admin Panel link due to restricted access
  • Now, Login with the administrator credentials to find any flawed access control in admin panel. Administrator login page prompting for username and password
  • Now. again open the Admin Panel and see how it works. Admin panel dashboard showing user role management options
  • Here we have a feature to make other users Admin. Lets test by making carlos an Admin.
  • Now, Open the HTTP History in Burpsuite and see the POST /admin-roles request and its response. Burp Suite HTTP history showing POST /admin-roles endpoint used to change roles
  • Hence, this endpoint /admin-roles can be used for exploitation and make the user wiener admin without any authentication from Administrator.

🧑‍💼Step 3: Promote wiener to Admin

  • Login with the wiener credentials - wiener:peter
  • Open the admin panel to log this request in Burpsuite. Admin panel access attempt recorded in Burp for analysis
  • Now send this request to Repeater using Ctrl + R.
  • Modify the GET /admin request to GET /admin-roles?username=wiener&action=upgrade and sent the request. Burp Repeater request using GET /admin-roles to upgrade wiener showing successful response
  • Hence, we successfully promoted the user wiener to Administrator.
  • And Finally, the Lab is solved. Lab solved confirmation after promoting wiener to administrator

🧠 Conclusion

  • This lab demonstrated how method-based access control can be flawed when authorization depends on HTTP methods. By invoking GET /admin-roles?username=wiener&action=upgrade, we bypassed intended POST-only checks and escalated privileges.
  • The impact is high — attackers can alter roles or perform privileged actions by switching methods or calling alternate routes that lack proper server-side authorization.
  • Fix: enforce server-side authorization regardless of HTTP method, validate user permissions for every action, restrict sensitive endpoints to the correct method and verify it server-side, and use centralized authorization checks rather than method-based assumptions.