Solving Portswigger Academy: Unprotected admin functionality with unpredictable URL
This lab is quite similar to that of previous one, the only difference is we don’t get the admin panel by brute forcing the URL, instead we need to look the html source.
This lab has an unprotected admin panel. It’s located at an unpredictable location, but the location is disclosed somewhere in the application.
Solve the lab by accessing the admin panel, and using it to delete the user
carlos.
When you visit the lab you will see normal page, where there are links Home and My account pages. I checked the burp history and in response I searched for the word ‘admin’, I successfully able to find the code responsible for admin page.
Now let’s access the page and you will see the admin page.
Tough the attacker does not find anything by brute forcing but the source leaks the URL and also it does not need any type of authentication.
