A parameter based access control is a type of access vulnerability in which an application determines the user's access right based on the on the parameter in the request. These are the:
<ul>
<li>query parameters
</li>
<li>request headers
</li>
<li>cookie values
</li>
</ul>
Such access controls are particularly vulnerable since they can be easily exploited by a user by simple changing the parameter values
<h3 id="heading-the-lab">The Lab:</h3>
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1719682341256/8f0bb8b9-c8a9-49e3-8113-cd8fdcd0f92e.png" alt class="image--center mx-auto" />
For this lab the instructions inform that there is an admin panel at the url /admin. In order to solve the lab, a user must be deleted via accessing the admin panel.
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1719591171156/000c97f7-0794-404d-a320-a7f6848e81ad.png" alt class="image--center mx-auto" />
As with the previous we start with the home page of the insecure web application.
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1719592151696/812db5ad-4436-4cca-8421-bda5c273c552.png" alt class="image--center mx-auto" />
When logging in with the username and password provided,
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1719592616428/03073aee-3b4b-4fe5-9361-23fd619602cd.png" alt class="image--center mx-auto" />
Then taking a look at the Post request, the first cookie value can be seen with "Admin" is set to False
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1719682463457/df50ef27-87bd-4d4c-b661-12be7bf1f9cc.png" alt class="image--center mx-auto" />
Once the value is set to true
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1719592906400/d47e4a90-60c5-4dc1-820b-e5bd7a5b329a.png" alt class="image--center mx-auto" />
The admin panel is become available in currently logged in account
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1719593299482/e5bd7a24-1007-4545-a92c-d01fe96f8c75.png" alt class="image--center mx-auto" />
Upon entering the Admin panel, the two user profiles can be seen along with the delete option.
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1719593545150/2ec81f61-e242-4651-b86e-a3a37b3cb6a1.png" alt class="image--center mx-auto" />
Once the user is deleted, the lab will be passed

A **parameter based access control** is a type of access vulnerability in which an application determines the user's access right based on the on the parameter in the request. These are the:

* query parameters
    
* request headers
    
* cookie values
    

Such access controls are particularly vulnerable since they can be easily exploited by a user by simple changing the parameter values

### The Lab:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1719682341256/8f0bb8b9-c8a9-49e3-8113-cd8fdcd0f92e.png align="center")

For this lab the instructions inform that there is an admin panel at the url /admin. In order to solve the lab, a user must be deleted via accessing the admin panel.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1719591171156/000c97f7-0794-404d-a320-a7f6848e81ad.png align="center")

As with the previous we start with the home page of the insecure web application.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1719592151696/812db5ad-4436-4cca-8421-bda5c273c552.png align="center")

When logging in with the username and password provided,

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1719592616428/03073aee-3b4b-4fe5-9361-23fd619602cd.png align="center")

Then taking a look at the Post request, the first cookie value can be seen with "Admin" is set to False

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1719682463457/df50ef27-87bd-4d4c-b661-12be7bf1f9cc.png align="center")

Once the value is set to true

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1719592906400/d47e4a90-60c5-4dc1-820b-e5bd7a5b329a.png align="center")

The admin panel is become available in currently logged in account

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1719593299482/e5bd7a24-1007-4545-a92c-d01fe96f8c75.png align="center")

Upon entering the Admin panel, the two user profiles can be seen along with the delete option.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1719593545150/2ec81f61-e242-4651-b86e-a3a37b3cb6a1.png align="center")

Once the user is deleted, the lab will be passed

A lab about parameter based access control vulnerabilities and how to exploit them to access restricted admin panels

Parameter based Access Control

The Lab: