SPRING 2026 · CTF WORKSHOP SERIES · PSU

Access
Control

If a website hides its admin page but never checks who is accessing it, anyone can become an admin just by changing the URL. We’re going to do exactly that.

▶ Start Workshop Skip to Challenge →
SCROLL TO BEGIN
SECTION 01 · LEARNING OBJECTIVES

What You'll Learn

By the end of this workshop, you'll be able to spot and exploit missing access controls—one of the most common and dangerous web vulnerabilities.

01
Identify
Recognize access control weaknesses in web applications—where the UI hides features but the server fails to enforce restrictions.
02
Bypass
Access restricted functionality by directly manipulating URLs or requests, bypassing client‑side limitations.
03
Distinguish
Differentiate between horizontal escalation (accessing another user's data) and vertical escalation (gaining admin privileges).
SECTION 02 · CORE CONCEPTS

Core Concepts

Access control determines what actions a user is allowed to perform. The vulnerability arises when the server trusts the client to enforce restrictions.

CONCEPT A
Access Control
Security must be enforced on the server, not just hidden in the interface. If a user can guess or modify a URL to reach an admin page, the application is vulnerable.

Why hiding links isn't security

Many developers assume that if they don't show an "Admin" link to regular users, those users won't find the admin page. But attackers directly request /admin or /manage. The only safe approach is server‑side verification of the user's role on every request.

Common weak patterns

  • Relying on JavaScript to hide UI elements
  • Checking permissions only on the frontend
  • Using predictable IDs or paths without authorization checks
CONCEPT B
Privilege Escalation
Two main types: Horizontal (accessing another user's data, e.g., changing ?id=123 to ?id=124) and Vertical (gaining higher privileges, e.g., accessing /admin as a regular user).

Horizontal escalation (IDOR)

Insecure Direct Object Reference: you can view or edit another user's private data just by changing an ID in the URL or request body.

Vertical escalation

You perform actions reserved for a higher privilege role (admin, moderator). This often happens when the server doesn't check role before executing admin functions.

📡 UNPROTECTED ADMIN FUNCTIONALITY
https://example.com/ → https://example.com/admin
👤 Normal user 🔓 Admin panel (no check)

Changing the URL to /admin grants access to restricted functionality because the server does not enforce permission checks.

SECTION 03 · HOW IT WORKS

The 4‑Step Exploit

A typical broken access control workflow—from normal usage to full admin access.

01
Access application normally
LOG IN AS A REGULAR USER
  • Observe available pages and features (no admin link visible)
  • Note the URL structure and any ID parameters
02
Discover hidden endpoints
GUESS OR ENUMERATE ADMIN PATHS
  • Try common paths: /admin, /dashboard, /manage
  • Manually modify the URL in the browser's address bar
03
Request restricted resource
SEND REQUEST TO /ADMIN
  • Directly navigate to https://target.com/admin
  • Bypass UI restrictions — the server may still respond
04
Exploit missing server checks
ADMIN PANEL LOADS FOR UNPRIVILEGED USER
  • Server does not verify permissions → restricted content returned
  • Perform admin actions (delete users, view sensitive data)
SECTION 04 · LIVE DEMO
DEMO.
PortSwigger Lab: Unprotected admin functionality
LAB
Unprotected admin panel
TOOL
Browser (Chrome/Firefox)
STATE
Logged into PortSwigger
▶ SCRIPT
# Step 1: access the lab as a normal user
Open the lab URL in browser
→ Expected: normal homepage loads (no admin link)

# Step 2: modify the URL to access admin page
Change URL from:
https://<lab-id>.web-security-academy.net/
to:
https://<lab-id>.web-security-academy.net/admin
→ Expected: admin panel loads successfully

# Step 3: interact with admin functionality
Click "Delete" or any admin action
→ Expected: action succeeds without authentication check
Follow along on your laptop. We will run through this together.
SECTION 05 · TROUBLESHOOTING

Common Pitfalls

SYMPTOM
/admin returns “Not found”
CAUSEWrong URL or lab instance not launched
FIXCopy exact lab URL and append /admin
SYMPTOM
Cannot access despite correct URL
CAUSESession expired / lab not properly loaded
FIXRelaunch the lab and try again
SYMPTOM
“Too simple” mindset
CAUSEMisunderstanding that real apps sometimes rely on hidden URLs
FIXEmphasize this represents real-world misconfigurations
SYMPTOM
No change after URL edit
CAUSETypo (e.g., /admins instead of /admin)
FIXUse exact endpoint /admin
SECTION 06 · POP QUIZ

Test Your Knowledge

YOUR SCORE
0 / 5
QUESTION 01 / 05
What is the primary cause of broken access control vulnerabilities?
QUESTION 02 / 05
Which of the following best describes vertical privilege escalation?
QUESTION 03 / 05
You visit /admin while logged in as a normal user and see the admin panel. What is the most likely explanation?
QUESTION 04 / 05
Horizontal privilege escalation (IDOR) typically involves:
QUESTION 05 / 05
Which statement about access control is true?
SECTION 07 · YOUR CHALLENGE

Now Do It Yourself

⏱ 5 MIN◉ BEGINNER
THE TASK
Use the provided lab to identify and access a restricted admin page by manipulating the URL.
SUCCESS CRITERION
Screenshot showing the admin panel successfully accessed (URL includes /admin).
HINTS (reveal if stuck)
01
Try exploring common hidden paths in web applications.
02
Modify the URL manually instead of relying on the interface.
03
Append /admin to the base lab URL.
SECTION 08 · GO DEEPER

Further Resources

01

PortSwigger Web Security Academy

Interactive labs covering access control vulnerabilities (free). Start with "Unprotected admin functionality".

02

OWASP Top 10: Broken Access Control

High‑level overview of the most critical access control risks in modern applications.

03

OWASP Authorization Cheat Sheet

Practical guidelines for implementing secure access control correctly.

📎

Access Control Cheat Sheet (PDF)

Handout with quick reference on broken access control patterns. (Available in workshop materials)

Questions?
Join the PSU CTF 2026 WhatsApp group or ask a facilitator.
ACM/CYBERTECH @ PSU · SPRING 2026