
4:36
Portswigger - Access Control - Lab #1 Unprotected admin functionality
Popo Hack
Overview
This video demonstrates how to find and exploit an unprotected admin panel in a web application. The process involves using Burp Suite to inspect network traffic, identifying potential hidden directories, and leveraging the `robots.txt` file to discover the admin interface. Once accessed, the video shows how to use the admin panel's functionality to delete a specific user, thereby solving the lab challenge. It highlights the importance of checking `robots.txt` for security misconfigurations.
How was this?
Save this permanently with flashcards, quizzes, and AI chat
Chapters
- The goal is to find an unprotected admin panel and use its functionality to delete a user named 'carlos'.
- The lab is part of PortSwigger's Web Security Academy.
- Tools like Burp Suite (Community Edition) and FoxyProxy are used for inspection.
- The initial step involves mapping the application by browsing its pages.
Understanding the lab's objective and setting up the necessary tools are crucial first steps for any penetration testing or security assessment.
Activating FoxyProxy and configuring Burp Suite to intercept HTTP traffic.
- Browsing through the e-commerce site's items and their details.
- Checking HTML source code and comments for sensitive information or clues.
- Attempting to access a 'my account' section with default credentials (admin/admin) which fails.
- Examining the login form's HTML for any interesting attributes or comments related to username fields.
This phase illustrates common reconnaissance techniques, showing that direct inspection and simple credential guessing are often insufficient for finding vulnerabilities.
Viewing the HTML source of a product page and searching for comments or specific input field names like 'username'.
- Recalling the previous video's technique of using `robots.txt` to find hidden directories.
- Navigating to the `robots.txt` file of the web application.
- The `robots.txt` file contains directives that disallow crawling of specific paths.
- One of the disallowed paths identified is the admin panel.
The `robots.txt` file, often overlooked, can inadvertently reveal sensitive or administrative paths that are not meant to be publicly accessible or indexed.
Accessing the URL `your-target-website.com/robots.txt` and finding a line like 'Disallow: /admin/'.
- Using the path found in `robots.txt` (e.g., `/admin/`) to access the admin panel.
- The admin panel is unprotected, allowing direct access.
- The admin panel provides functionality to delete users.
- The objective is to delete the user 'carlos' to solve the lab.
This demonstrates a critical security flaw where administrative functions are exposed without proper authentication or authorization, allowing unauthorized actions.
Navigating to the `/admin/` URL, finding the option to delete the user 'carlos', and clicking the delete button.
Key takeaways
- Always check the `robots.txt` file during web application security assessments, as it can reveal hidden directories.
- Administrative interfaces are common targets and often contain critical functionalities like user management.
- Lack of proper access control (authentication and authorization) on administrative functions is a significant security vulnerability.
- Burp Suite is an essential tool for intercepting and analyzing web traffic to uncover security issues.
- Understanding how web servers handle requests and directives like those in `robots.txt` is key to finding vulnerabilities.
- Even simple e-commerce sites can have critical security flaws in their administrative sections.
Key terms
Web Security AcademyPortSwiggerBurp SuiteFoxyProxyrobots.txtAdmin PanelAccess ControlDisallow DirectiveUser DeletionReconnaissance
Test your understanding
- What is the primary purpose of the `robots.txt` file, and how can it be exploited in a security context?
- How did the video demonstrate finding the hidden admin panel without prior knowledge of its location?
- Why is it considered a security vulnerability if an admin panel is unprotected?
- What steps were taken after discovering the admin panel to achieve the lab's objective?
- Describe the role of Burp Suite in the process of finding and exploiting the admin functionality.