Unprotected admin functionality

In this post we will walk step by step through how to solve Unprotected admin functionality on PortSwigger. This lab’s difficulty is Apprentice and it is the first lab in the Access control labs on Portswigger.

Link to lab: https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality

To start the lab click the ‘Access the Lab’ button. A modern browser is all we need to solve this lab.

Starting the lab we are presented with a shop page that displays multiple categories. Don’t stress if your categories are different than the screenshot. PortSwigger Labs can change content each time the lab is started.


Doing basic recon, we are able to find a robots.txt file that is pretty common on web sites. Observing the contents of robots.txt we can see a Disallow entry for /administrator-panel

Navigating to /administrator-panel we discover an unprotected admin functionality that allows an un-authenticated user to delete users.

Deleting the user Carlos solves the lab! Congratulations.

That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!