Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Access Control Lab 5

Levi | Last updated: Mar 05, 2020 03:47AM UTC

Info: Try to load /admin and observe that you get blocked. Observe that the response is very plain, suggesting it may originate from a front-end system. Send the request to Burp Repeater. Change the URL in the request line to / and add the HTTP header X-Original-URL: /invalid. Observe that the application returns a "not found" response. This indicates that the back-end system is processing the URL from the X-Original-URL header. Change the value of the X-Original-URL header to /admin. Observe that you can now access the admin page. To delete the user carlos, add ?username=carlos to the real query string, and change the X-Original-URL path to /admin/delete. Im not exactly sure what the steps are here or what i replace with X-Original-URL I get "access denied" everytime.... Some exact steps would be helpful Cheers

Ben, PortSwigger Agent | Last updated: Mar 05, 2020 11:19AM UTC

Hi, You need to add the X-Original-URL header to the request and assign it the /invalid value. If you take a look at the request that is generated by navigating to the https://<labID>/admin URL you will see that this header is not there. Add it and then change the GET request URL to just be / and then you should get the "not found" response. Next step is to change the added X-Original-URL to have the value /admin and you will be able to get to the admin page. Please let us know if you require any further information.

Matúš | Last updated: May 18, 2020 11:00PM UTC

I am having the same issue. Getting Access denied for the last step. I am able to get into admin interface, then I click delete Carlos. I am setting /admin/delete?username=carlos HTTP/1.1 for GET field and /admin/delete for X-Original-URL header, just as in the hint. I have tried many other combinations but I always get access denied. Please help.

Ben, PortSwigger Agent | Last updated: May 19, 2020 08:34AM UTC

Hi Matúš, Try setting the following whilst leaving your other settings as they were: GET /?username=carlos HTTP/1.1

eduard | Last updated: Dec 11, 2020 02:29PM UTC

Hi I'm unable to acces the admin panel.I'm using the following: GET /admin HTTP/1.1 Host: acec1fd91fa23c9f80b42b5d00aa0063.web-security-academy.net X-Original-URL: /admin User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ro-RO,ro;q=0.8,en-US;q=0.6,en-GB;q=0.4,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: https://acec1fd91fa23c9f80b42b5d00aa0063.web-security-academy.net/ Cookie: session=6PEPYrZYzvjEgLgVHYosUr504W6SzHpC Upgrade-Insecure-Requests: 1

eduard | Last updated: Dec 11, 2020 02:29PM UTC

Hi I'm unable to acces the admin panel.I'm using the following: GET /admin HTTP/1.1 Host: acec1fd91fa23c9f80b42b5d00aa0063.web-security-academy.net X-Original-URL: /admin User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ro-RO,ro;q=0.8,en-US;q=0.6,en-GB;q=0.4,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: https://acec1fd91fa23c9f80b42b5d00aa0063.web-security-academy.net/ Cookie: session=6PEPYrZYzvjEgLgVHYosUr504W6SzHpC Upgrade-Insecure-Requests: 1

Ben, PortSwigger Agent | Last updated: Dec 14, 2020 08:22AM UTC