Published on

Access Control Labs Overview

Tools Used:

  1. Burp Interceptor, Repeater and Intruder


Access control labs mostly relied on accessing routes which were not protected by the app or relied on exploiting logic in the app. Although all labs were quite easier some labs like :

  1. This lab which required knowledge of X-Original-URL header.
  2. This lab which exploited the fact that backend was not allowing POST request if user is not admin but allowed GET request to same path.

Such labs, as mentioned above, focusses on testing or fuzzing each and every situation and being aware about uncommon header