Unprotected Admin Functionality ​

Link: https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality

After clicking "Access the lab," we are presented with an online store. Our task is to gain access to the admin panel and delete the user carlos. We do not know the login or password.

During reconnaissance, it's worth checking the robots.txt file.

In the address bar, we type /robots.txt. In my case, the address to look at is:

https://0ab900f404772d3a8570680d00b100e8.web-security-academy.net/robots.txt

We are greeted with this view:

So, we proceed to the following address: https://0ab900f404772d3a8570680d00b100e8.web-security-academy.net/administrator-panel

Bingo. We have accessed the panel:

We click "Delete" next to the user carlos.

Task completed: