Authentication bypass via flawed state machine
This lab makes flawed assumptions about the sequence of events in the login process.
With Burp running, complete the login process with
wiener:peterand notice that you need to select your role before you are taken to the home page.
Use the content discovery tool to identify the
Try browsing to
/admindirectly from the role selection page and observe that this doesn’t work.
Log out and then go back to the login page. In Burp, turn on proxy intercept then log in.
POST /loginrequest. The next request is
GET /role-selector. Drop this request and then browse to the lab’s home page. Observe that your role has defaulted to the
administratorrole, and you have access to the Admin panel.
Delete Carlos to solve the lab.
An attacker will need to log in; exploit the flaw to bypass the lab’s authentication, access the admin interface, and delete Carlos.