Unprotected admin functionality with unpredictable URL
The second thing we can do right after checking the robots.txt file is to check the source of the page. After clicking "Access the lab", we might, for example, go to "My Account", right-click on an empty field and choose "View Page Source":
What appears before us is the static code of the page (if we chose "Inspect", we could modify the page - a dynamic option).
We see that there is a JavaScript code that contains a path with an unusual name:
/admin-cty0yq
So, we navigate to that page:
https://0ad700bd0406d4bc82256f5a00c3008c.web-security-academy.net/admin-cty0yqOf course, the beginning of the address may vary.
We have entered the admin panel:
We delete the user carlos:
