PortSwigger: Unprotected admin functionality - lab solution

cybersecurityweb securitylabsportswiggerapplication security
Hacker girl with laptop learning

Objective - finding the admin panel

The goal of this lab is to find the URL leading to the admin panel, and then take advantage of the fact that the panel doesn't verify in any way whether we have administrator privileges. To complete the challenge, we must delete a user named Carlos.

Step 1: analyzing the robots.txt file

Robots.txt and SEO - what do we use robots.txt file for

Robots.txt is a file frequently used by SEO (Search Engine Optimization) specialists. They try to optimize website-related resources so that the site is more visible in search engines.

The robots.txt file typically contains URLs that should not be visible in search results. The Disallow directive suggests that indexing robots should ignore links marked this way. These are usually links to resources less important for understanding the site's content.

If a given address is described by the Disallow directive, it means we don't want the robot to waste time checking this resource. At the same time, we're suggesting that for better understanding of the site, such a robot can better utilize its time by looking elsewhere.

This is important from an SEO perspective. Every robot indexing content on a site has allocated resources (time, crawling frequency) that it can use to scan a given site. So if we suggest that certain pages are less important than others, we can help it spend more time scanning and analyzing those subpages we want to be visible in search engines, which translates to building the site's visibility on the web.

However, this file has its limitations - not every browser supports the rules contained in it, not every robot interprets the syntax the same way, and the page may still be indexed - if links to it come from other websites. Therefore, a better approach is to use the noindex tag or password-protect the page (source: developers.google.com).

Usually, robots.txt also contains an address leading to the sitemap.xml file - a site map with links we want to be indexed.

Undoubtedly, a link to the admin panel will be a link that contributes nothing from an SEO perspective - more important are links to the blog or other subpages - but if we place it here, this is one of those places an attacker is likely to check - and then won't hesitate to use such link. Therefore, the robots.txt file, besides helping with SEO activities, can also be a source of much interesting information from an attacker's perspective.

What can an attacker find in the robots.txt file?

Usually, an attacker will take this opportunity to use dictionaries containing keywords that are added to site-scanning tools. These allow checking whether a given site happens to have added resources whose URL ends with one of the words added to the dictionary. We've encountered such "known" addresses many times: for example, addresses ending with /login, /sign-in, /admin, /panel, /wp-login (for WordPress), /user, /dashboard, etc.

Sometimes developers think they can add some resources to the site this way - for example, additional files to download, a backup copy, etc.. One might be convinced that adding addresses to such resources in robots.txt or, if someone knows a bit better how indexing robots work, adding a "noindex" tag to the page will be enough to prevent anyone from looking there. Unfortunately, in reality, attackers with site-scanning tools and dictionaries at their disposal still have a chance to find a given URL.

To solve the lab from PortSwigger, such advanced and somewhat time-consuming analysis isn't necessary. It's enough to look at the robots.txt file. When we do this, we'll find the following content:

User-agent: *
Disallow: /administrator-panel

That looks pretty good. We have the address someone apparently wanted to hide from us, served on a silver platter... Let's see what's hiding under it.

Step 2: looking at the /administrator-panel address

When we visit the address random-lab-address.web-security-academy.net/administrator-panel, a very interesting page appears before our eyes...

Administrator panel in Portswigger lab

And we're done. We can delete the user named Carlos - and thereby solve the lab.

Robots.txt - example findings

Some time ago, I used to encounter login panels being added to robots.txt so they wouldn't hang sadly in search results. However, much more information that can be exploited may appear in robots.txt.

For example, the Yoast SEO plugin adds its block with "START YOAST BLOCK" printed at the beginning and "END YOAST BLOCK" printed at the end. So if any vulnerability appears in this plugin, the attacker already has the first piece of information they need - they know that this plugin is installed on the site.

Of course, such tags allow determining which code fragment comes from a given plugin and which might have been added by another plugin / independently by the user. However, this is information that can be used in other contexts, and it's worth remembering this.