Skip to main content

🗂️PortSwigger Lab Writeup: Multi-Step Process with no Access Control on One Step

PortSwigger lab banner: Multi-step process with no access control on one step

🎯 Objective

The objective of this lab is to exploit a broken access control where the app has an admin panel with a flawed multi-step process for changing a user's role. The goal is to find a flawed access controls and exploit it to promote yourself to become an administrator.

  • Lab URL: https://portswigger.net/web-security/access-control/lab-multi-step-process-with-no-access-control-on-one-step
  • Category: Access Control
  • Difficulty: Practitioner

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Shopping website homepage displaying product listings and navigation menu
    Login page interface with username and password fields
  • At first glance, the website seems to be a shopping website with a login page. In the lab description, it is mentioned that we need to promote user wiener to administrator by exploiting a flawed access control.

📝Step 2: Promote carlos as Admin

  • First login as administrator. Administrator login page with username and password fields
  • Click on the Admin Panel. Admin panel dashboard showing user management options
  • Send the Upgrade request to upgrade the user carlos to Admin. Admin role upgrade request dialog for carlos user
  • Click on yes to confirm it.
  • Now, Under HTTP History in Burpsuite, send this same request to Repeater using Ctrl + R Burp Suite Repeater showing upgrade role request details and parameters
  • Now, Log out from the Administrator account.

🧑‍💼Step 3: Promote wiener to Admin

  • Login with the wiener credentials - wiener:peter
  • Copy the session id of wiener and replace it with the request we just send to Repeater tab.
  • Also change the user carlos to wiener in request and send it. Burp Repeater modifying session token and user parameter for wiener privilege escalation
  • Hence, we successfully promoted the user wiener to Administrator.
  • And Finally, the Lab is solved. Lab solved confirmation after successfully promoting wiener to administrator

🧠 Conclusion

  • This lab demonstrated how missing access control on intermediate workflow steps allows privilege escalation. By capturing the upgrade request from an admin session and replaying it with a regular user's session token, we bypassed authorization checks and promoted wiener to administrator.
  • The impact is critical — if any step in a multi-step process lacks authorization validation, attackers can perform privileged actions by crafting requests with their own credentials, leading to complete privilege escalation.
  • Fix: enforce authorization checks on every step of multi-step processes, validate that the current user has permission for each action regardless of how they reached that step, use unpredictable and cryptographically signed tokens for state transitions, and log all state-changing operations for audit purposes.