Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Authentication bypass via flawed state machine

PRACTITIONER

This lab makes flawed assumptions about the sequence of events in the login process. To solve the lab, exploit this flaw to bypass the lab's authentication, access the admin interface, and delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

ACCESS THE LAB

Solution

  1. With Burp running, complete the login process and notice that you need to select your role before you are taken to the home page.
  2. Use the content discovery tool to identify the /admin path.
  3. Try browsing to /admin directly from the role selection page and observe that this doesn't work.
  4. Log out and then go back to the login page. In Burp, turn on proxy intercept then log in.
  5. Forward the POST /login request. The next request is GET /role-selector. Drop this request and then browse to the lab's home page. Observe that your role has defaulted to the administrator role and you have access to the admin panel.
  6. Delete carlos to solve the lab.

Community solutions

Michael Sommer

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find business logic vulnerabilities using Burp Suite

Try for free