Lab: Authentication bypass via flawed state machine
This lab makes flawed assumptions about the sequence of events in the login process. To solve the lab, exploit this flaw to bypass the lab's authentication, access the admin interface, and delete Carlos.
You can log in to your own account using the following credentials:
- With Burp running, complete the login process and notice that you need to select your role before you are taken to the home page.
Use the content discovery tool to identify the
Try browsing to
/admindirectly from the role selection page and observe that this doesn't work.
- Log out and then go back to the login page. In Burp, turn on proxy intercept then log in.
POST /loginrequest. The next request is
GET /role-selector. Drop this request and then browse to the lab's home page. Observe that your role has defaulted to the
administratorrole and you have access to the admin panel.
- Delete Carlos to solve the lab.