Unprotected admin functionality with unpredictable URL

In this post we will walk step by step through how to solve Unprotected admin functionality with unpredictable URL on PortSwigger. This lab’s difficulty is Apprentice and it is the second lab in the Access control labs on Portswigger.

Link to lab: https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality-with-unpredictable-url

To start the lab click the ‘Access the Lab’ button. A modern browser is all we need to solve this lab.

Starting the lab we are presented with a shop page that displays multiple categories. Don’t stress if your categories are different than the screenshot. PortSwigger Labs can change content each time the lab is started.


Reviewing the source code we are able to find a snippet of JavaScript that displays a possible admin page using the setAttribute function.  In this case the url /admin-lxlj21.

Navigating to /admin-lxlj21 we discover an unprotected admin functionality that allows an unauthenticated user to delete users.

Deleting the user Carlos solves the lab! Congratulations.

That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!