Skip to main content

🗂️PortSwigger Lab Writeup: User Role Controlled by Request Parameter

PortSwigger lab description page for Broken Access Control - User role controlled by request parameter

🎯 Objective

The objective of this lab is to exploit a broken access control where the app has an admin panel which identifies administrators using a forgeable cookie. The goal is to access the admin panel and delete the user carlos.

  • Lab URL: https://portswigger.net/web-security/access-control/lab-user-role-controlled-by-request-parameter
  • Category: Access Control
  • Difficulty: Apprentice

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Shopping website homepage displaying product listings and navigation
    Login page interface with username and password fields
  • At first glance, the website seems to be a shopping website with a login page. In the lab description, it is mentioned that we need to access the admin panel and then delete the account of carlos.

📝Step 2: Try Accessing Admin Panel

  • In order to access the admin panel, we need to first login with the given account credentials - wiener:peter User account page after logging in as wiener showing My Account header
  • On our account page ,we only see a feature to update the email. Account settings page displaying email update form
  • Now, open admin panel located at /admin Access denied error message stating Admin interface is only available to administrators
  • Hence, We get an error saying that the Admin interface can only be accessed by Administrator.
  • Now, Open the HTTP History in Burpsuite and see the GET /admin request and its response to find any loophole to access the admin panel. Burp Suite HTTP history showing GET /admin request with Admin=false cookie in request headers
  • Here, we can see that there is a cookie Admin=false through which backend might be checking if an Administrator is accessing the panel or not.
  • Now, lets change this cookie value through Browser Developer Tools from Admin=false to Admin=true Browser developer tools console showing cookie modification from Admin=false to Admin=true
  • Now, Open the admin panel after changing the value of cookie. Admin panel successfully accessed showing user management interface with delete options
  • Hence, we are now able to access the admin panel by successfully forging the cookie value.

🧑‍💼Step 3: Delete carlos

  • Click on the Delete option for carlos to delete the account. Lab solved confirmation message displayed after successfully deleting carlos user account
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab demonstrated how broken access control through client-side cookie manipulation allows unauthorized privilege escalation. By changing the Admin=false cookie to Admin=true, we bypassed role-based access controls and gained administrative access.
  • Such vulnerabilities have a critical impact — attackers can easily modify cookies to escalate privileges, access sensitive functionality, and perform unauthorized administrative actions.
  • Fix: implement server-side session management with secure role verification, never trust client-side parameters or cookies for authorization decisions, use cryptographically signed tokens (JWT with proper validation), store user roles server-side in secure sessions, and implement proper role-based access control (RBAC) with server-side enforcement.