In this video, we cover Lab #2 in the Access Control Vulnerabilities module of the Web Security Academy. This lab has an unprotected admin panel. It's located at an unpredictable location, but the location is disclosed somewhere in the application. To solve the lab, we access the admin panel, and use it to delete the user carlos.

▬ 🔗 Links 🔗 ▬▬▬▬▬▬▬▬▬▬

Notes.txt document: https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/broken-access-control/lab-02/notes.txt

Python script: https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/broken-access-control/lab-02/access-control-lab-02.py

Web Security Academy Exercise Link: https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality-with-unpredictable-url

Rana's Twitter account: https://twitter.com/rana__khalil