Skip to main content

🗂️PortSwigger Lab Writeup: URL-Based Access Control can be Circumvented

PortSwigger lab banner: URL-based access control can be circumvented

🎯 Objective

The objective of this lab is to exploit a broken access control where the app has an unauthenticated admin panel with a front-end system that has been configured to block external access to that path. The goal is to access the admin panel and delete the user carlos.

  • Lab URL: https://portswigger.net/web-security/access-control/lab-url-based-access-control-can-be-circumvented
  • Category: Access Control
  • Difficulty: Practitioner

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Shopping website homepage showing product listings and navigation
    Login page interface with username and password fields
  • At first glance, the website seems to be a shopping website with a login page. In the lab description, it is mentioned that we need to access the admin panel and then delete the account of carlos.

📝Step 2: Try Accessing Admin Panel

  • Click on Admin Panel and see the normal response. Access denied page when clicking Admin Panel link due to URL-based control
  • Now, Open the HTTP History in Burpsuite and see the GET /admin request and its response. Burp Suite HTTP history showing blocked GET /admin response
  • Now send this request to Repeater using Ctrl + R.
  • Change the GET /admin to GET / and Add X-Original-URL: /admin HTTP header into the request. Burp Repeater request with X-Original-URL header set to /admin successfully bypassing URL control
  • Hence, we can now successfully access the Admin Panel.

🧑‍💼Step 3: Delete carlos

  • Change the GET / to GET /?username=carlos and X-Original-URL: /admin/delete HTTP header in the request.
  • Sending the request will delete the account of carlos. Burp Repeater request deleting carlos via X-Original-URL /admin/delete with success response
  • And Finally, the Lab is solved. Lab solved confirmation after deleting carlos user account

🧠 Conclusion

  • This lab demonstrated how URL-based access control can be bypassed using reverse proxy headers like X-Original-URL. By sending GET / with X-Original-URL: /admin, we accessed unauthenticated admin functionality and performed privileged actions.
  • The impact is critical — misconfigured proxies or web servers allow attackers to reach internal-only routes, bypass front-end path restrictions, and delete or modify sensitive data without authentication.
  • Fix: enforce server-side authorization for all sensitive paths, disable/strip override headers such as X-Original-URL/X-Rewrite-URL at the edge, normalize and validate request paths before authorization checks, and ensure reverse proxies do not forward internal-only routes to public origins.