Unprotected admin functionality with unpredictable URL


This lab has an unprotected admin panel. It’s located at an unpredictable location, but the location is disclosed somewhere in the application.

Reproduction and proof of concept

  1. Review the lab home page’s source using Burp Suite or your web browser’s developer tools.

  2. It contains some JavaScript that discloses the URL of the admin panel.

var isAdmin = false;
if (isAdmin) {
   var topLinksTag = document.getElementsByClassName("top-links")[0];
   var adminPanelTag = document.createElement('a');
   adminPanelTag.setAttribute('href', '/admin-srvink');
   adminPanelTag.innerText = 'Admin panel';
   var pTag = document.createElement('p');
   pTag.innerText = '|';
  1. Load the admin panel and delete carlos.


An attacker will need to access the admin panel, and use it to delete the user carlos.