Level 3: User Role Controlled by Request Parameter

Objective

Solve the lab by accessing the admin panel and deleting the user carlos.

Explanation

In this lab, the admin panel is accessible at /admin and identifies administrators based on a forgeable cookie. The goal is to manipulate the cookie to impersonate an administrator and delete the user "carlos."

Resolution

  1. First, go to the login page at /admin.

  2. Log in using the credentials provided: wiener:peter.

  3. Once logged in, you'll see that your username is "wiener," but the admin privileges are controlled by a cookie.

  4. Open the browser's developer tools (press F12 or Ctrl + Shift + I), navigate to the Storage tab, and select Cookies.

  5. Look for the Admin cookie and change its value from false to true.

  1. After modifying the cookie, reload the page to reflect the change.

  2. Now, you should be able to access the Admin Panel and delete the user "carlos."

Mitigation

  • Secure Cookie Management: Use secure cookies with attributes like HttpOnly, SameSite, and Secure to prevent unauthorized access or tampering.

  • Role-based Access Control: Implement robust role-based access control (RBAC) to ensure users cannot easily escalate their privileges.

  • Cookie Integrity: Use server-side session validation instead of relying on cookies for critical roles like admin.

  • Input Validation: Ensure that request parameters (including cookies) are properly validated and cannot be easily manipulated.

PreviousLevel 2: Unprotected Admin Functionality with Unpredictable URLNextLevel 4: User role can be modified in user profile

Last updated