Lab 3: Admin Panel Bypass

Difficulty: Medium

Lab Overview

This lab demonstrates an IDOR vulnerability in an admin panel system. The application allows users to access admin functions by simply changing the action parameter without proper authorization checks, even though they are not admin users.

Objective: Access admin panel functions by manipulating the action parameter to view sensitive administrative data.

Vulnerable PHP Code

// Vulnerable: No proper authorization check
$action = $_GET['action'] ?? 'dashboard';

// Simulate user authentication
$_SESSION['user_id'] = 1;
$_SESSION['role'] = 'user'; // Regular user, not admin

// Direct access to admin functions without checking role
switch ($action) {
    case 'dashboard':
        // Load admin dashboard
        break;
    case 'users':
        // Load user management
        break;
    case 'settings':
        // Load system settings
        break;
    case 'logs':
        // Load system logs
        break;
}

// Example vulnerable usage:
// ?action=dashboard (admin dashboard)
// ?action=users (user management)
// ?action=settings (system settings)
// ?action=logs (system logs)

Admin Panel Access

System logs loaded successfully!

Quick Test URLs:

Admin Panel: Logs ADMIN ACCESS

System Logs

[2024-01-15 10:30:00] INFO User user1 logged in

[2024-01-15 10:25:00] WARNING Failed login attempt for user admin

[2024-01-15 10:20:00] ERROR Database connection timeout

[2024-01-15 10:15:00] INFO System backup completed successfully

Vulnerability Details

Type: Insecure Direct Object Reference (IDOR)
Severity: Critical
Parameter: action
Method: GET
Issue: Direct access to admin functions without authorization

Test Payloads

Try these action values:

dashboard - Admin dashboard
users - User management
settings - System settings
logs - System logs

Example URLs:

3.php?action=dashboard
3.php?action=users
3.php?action=settings
3.php?action=logs

Quick Test URLs

Click these links to test the vulnerability:

Real-World Attack Scenarios

Unauthorized access to admin panel functions
Access to user management and system settings
Viewing system logs and sensitive information
Privilege escalation and admin function access
Data exfiltration and unauthorized data modification
Bypassing access controls and authorization mechanisms
Compliance violations and security breaches

Mitigation Strategies

Implement proper role-based access control (RBAC)
Check user permissions before allowing access to admin functions
Use indirect object references instead of direct action parameters
Implement proper session management and authentication
Use whitelist-based validation for allowed actions
Implement proper logging and monitoring for admin access
Regular security testing and access control reviews