Skip to main content

🗂️PortSwigger Lab Writeup: Referer-Based Access Control

PortSwigger lab banner: Referer-based access control

🎯 Objective

The objective of this lab is to exploit a broken access control where the app has an admin panel with a referer-based access control. The goal is to find a flawed access control and exploit it to promote yourself to become an administrator.

  • Lab URL: https://portswigger.net/web-security/access-control/lab-referer-based-access-control
  • Category: Access Control
  • Difficulty: Practitioner

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Shopping website homepage displaying product listings and navigation menu
    Login page interface with username and password fields
  • At first glance, the website seems to be a shopping website with a login page. In the lab description, it is mentioned that we need to promote user wiener to administrator by exploiting a flawed access control.

📝Step 2: Promote carlos as Admin

  • First login as administrator. Administrator login page with username and password fields
  • Click on the Admin Panel. Admin panel showing user promotion interface with referer-based access control
  • Now, Under HTTP History in Burpsuite, send this same request to Repeater using Ctrl + R Burp Suite Repeater showing role upgrade request with referer header
  • Now, Log out from the Administrator account.

🧑‍💼Step 3: Promote wiener to Admin

  • Login with the wiener credentials - wiener:peter
  • Copy the session id of wiener and replace it with the request we just send to Repeater tab.
  • Also change the user carlos to wiener in request and send it. Burp Repeater modifying referer header and session for wiener privilege escalation
  • Hence, we successfully promoted the user wiener to Administrator.
  • And Finally, the Lab is solved. Lab solved confirmation after successfully promoting wiener to administrator

🧠 Conclusion

  • This lab demonstrated how referer-based access control is fundamentally flawed as authorization mechanism. By capturing an admin request and replaying it with a modified referer header from a user session, we bypassed authorization and escalated privileges to administrator.
  • The impact is critical — HTTP headers like referer are user-controlled and can be easily modified or spoofed, making them unsuitable for access control decisions. Attackers can bypass protections by simply manipulating headers.
  • Fix: never use HTTP headers for authorization decisions, implement proper server-side session management with secure tokens, validate every request against the current user's actual permissions, use cryptographically signed and verified tokens, and apply authorization checks at the application logic level rather than relying on HTTP header values.