Skip to main content

🗂️PortSwigger Lab Writeup: Unprotected Admin Functionality with Unpredictable URL

PortSwigger lab description page for Broken Access Control - Unprotected admin functionality with unpredictable URL

🎯 Objective

The objective of this lab is to exploit a broken access control where the app has an unprotected admin panel whose location is disclosed in the source code. The goal is to access the admin panel and delete the user carlos.

  • Lab URL: https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality-with-unpredictable-url
  • Category: Access Control
  • Difficulty: Apprentice

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Shopping website homepage displaying product catalog and navigation menu
    Website interface showing login functionality and header elements
  • At first glance, the website seems to be a shopping website with a login page. In the lab description, it is mentioned that we need to find the admin panel and then delete the account of carlos.

📝Step 2: Find Admin Panel

  • Now we will first find the admin panel from where we can delete the accounts.
  • Since it is mentioned that the Admin URL is unpredictable, we will not try visiting /admin page.
  • Now, open the source code of the website and see if there is location of admin panel anywhere in the code. Browser developer tools showing JavaScript source code with admin panel URL exposed in isAdmin check
  • Hence, In the javascript code, we can see that the location of admin panel is disclosed.
  • We can access the admin panel at /admin-qi1y24

🧑‍💼Step 3: Delete carlos

  • Open the /admin-qi1y24 page. Admin panel dashboard showing user list with delete options for wiener and carlos accounts
  • Click on the Delete option for carlos to delete the account. Lab solved confirmation message after successfully deleting carlos user account
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab demonstrated how broken access control combined with source code disclosure exposes sensitive admin URLs. By analyzing the JavaScript code, we discovered the hidden /admin-qi1y24 path and accessed the admin panel without authentication.
  • Such vulnerabilities have a critical impact — attackers can easily discover "hidden" URLs through client-side code inspection, allowing unauthorized access to privileged functionality.
  • Fix: implement server-side authentication and authorization checks on all admin endpoints, never expose sensitive URLs in client-side code, use proper session management and role-based access control (RBAC), and avoid security through obscurity.