Unprotected admin functionality


Intro
This was another quick and simple lab in the Web Security Academy Apprentice learning path. So far these early introductory labs seem almost similar to a CTF exercise. Either that, or past CTF experience is giving me a leg. Honestly I want to get to some harder stuff that will really get me to solving more complex problems. I also should know better, and be careful what I wish for…
The Lab
This lab has an unprotected admin panel that needs to be found. The goal of this lab is to delete a user named Carlos.
The Analysis
These are the steps I took to analyse and solve this lab.
Based on the reading preceding the lab, the first thing I did was append:
/robots.txt
to the URL of the labs web page. This returned this result:
That looks like the path to an admin panel to me, so I also appended that to the labs web page URL:
and it was exactly what I thought it was. On the admin panel I can see two users.
Deleting Carlos solves the lab so Carlos has to go. Sorry Dude, nothing personal…
What I learned
- Checking a websites robots.txt file could possible yield some clues about potential vulnerabilities.
Subscribe to my newsletter
Read articles from Taji Abdullah directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
