The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: URL-based access control can be circumvented

Angel | Last updated: Sep 12, 2024 05:50PM UTC

I just have a question about the terminology used in the lab. "This website has an unauthenticated admin panel at /admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports the X-Original-URL header. " I'm confused about what "front-end system" means.I always thought that front-end meant the users computer so I assumed the access controls were going to be implemented with some front-end validation but I see nothing when I use inspect. So what does "front-end system" mean here: "a front-end system has been configured to block external access to that path."

Ben, PortSwigger Agent | Last updated: Sep 13, 2024 07:42AM UTC