-
Try to load
/admin
and observe that you get blocked. Notice that the response is very plain, suggesting it may originate from a front-end system. -
Send the request to Burp Repeater. Change the URL in the request line to
/
and add the HTTP headerX-Original-URL: /invalid
. Observe that the application returns a "not found" response. This indicates that the back-end system is processing the URL from theX-Original-URL
header. -
Change the value of the
X-Original-URL
header to/admin
. Observe that you can now access the admin page. -
To delete
carlos
, add?username=carlos
to the real query string, and change theX-Original-URL
path to/admin/delete
.
Lab: URL-based access control can be circumvented
This website has an unauthenticated admin panel at /admin
, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports the X-Original-URL
header.
To solve the lab, access the admin panel and delete the user carlos
.