BrokenRatControls [Easy] – Solution

Objective:

To identify and exploit insecure access controls within a simulated PHP web application that includes both authenticated and admin-only functionality, some of which is improperly protected.

Step 1: Initial Reconnaissance

The application provides a login interface with two test accounts:

• Admin: admin / adminpass
• Low Privilege: lowpriv / userpass

The interface hinted at different permissions depending on the logged-in user’s role.

Step 2: Authentication

Logged in as each user to confirm access levels:

• lowpriv: Access to dashboard and profile.
• admin: Access to additional features like user management, logs, and site settings.

Step 3: Role-Based Access Control Review

The backend logic used a session-stored role to restrict access via conditionals in a switch statement. Example:

if ($role !== 'admin') {
    echo "<h3>Access Denied</h3>";
    break;
}

Step 4: Discovery of Broken Access Controls

Two critical admin endpoints did not include any role validation:

case 'export_data':
    // Normally admin-only, but missing role check

case 'shutdown_system':
    // Normally admin-only, but missing role check

Step 5: Exploitation

While logged in as lowpriv, manually accessing:

• ?ajax=1&action=export_data
• ?ajax=1&action=shutdown_system

Successfully triggered the admin functionality without proper authorization.

Step 6: Mitigation Suggestions

• Add proper role checks on all protected endpoints.
• Centralize access control logic to avoid duplicated and inconsistent checks.
• Avoid exposing sensitive endpoint names in client-side code or comments.

Conclusion

This lab highlighted the impact of broken access control mechanisms. Sensitive functionality like data export and system shutdown was accessible to low-privilege users due to missing server-side role validation. It’s a strong reminder of the importance of secure coding practices and consistent access enforcement.