July 11, 2026
Lab 1: Broken Access Control “Unprotected Admin Functionality” (PortSwigger Web Security Academy)
Intro

By Nitish Mukhiya
3 min read
Intro
For anyone learning web application security, PortSwigger Web Security Academy is one of the best free resources available. In this article, we'll walk through an Apprentice level lab — "Unprotected Admin Functionality" — step by step. This lab falls under the Broken Access Control category, which is one of the most common and dangerous vulnerability classes in the OWASP Top 10.
This is a legal, sandboxed training lab — so this technique should only ever be tried on your own authorized labs or bug bounty programs where you have explicit permission.
By Nitish Mukhiya
Lab Objective
The lab description makes the goal clear:
"This lab has an unprotected admin panel. Solve the lab by deleting the user
carlos."
This means there's an admin panel hidden somewhere on the site, but it hasn't been properly protected — there's no login check and no role verification. Our job is to find that panel and delete the user carlos.
Step 1 — Access the Lab
First, click "Access the lab" to spin up a fresh instance. You'll see a normal e-commerce style website with no obvious admin link visible anywhere.
Step 2 — Find Hidden Paths (Check robots.txt)
When there's no direct link to an admin panel, the first common step is to check the robots.txt file.
This file sits at the root of a website and tells search engines which paths not to crawl. Developers sometimes mistakenly put sensitive URLs in this file, assuming "if search engines ignore it, no one will find it." But this file is publicly accessible — anyone can open it directly in a browser.
Open this URL in your browser:
https://<lab-id>.web-security-academy.net/robots.txthttps://<lab-id>.web-security-academy.net/robots.txt
The result looks like this:
User-agent: *
Disallow: /administrator-panelUser-agent: *
Disallow: /administrator-panelA hidden path has been found: /administrator-panel.
Step 3 — Visit the Admin Panel Directly
Now visit that path directly in the browser:
https://<lab-id>.web-security-academy.net/administrator-panelhttps://<lab-id>.web-security-academy.net/administrator-panel
This is where the vulnerability is exposed — no login prompt appears, no "access denied" error shows up. The Users page loads directly, listing both wiener and carlos, each with a Delete link next to them.
This means the server was only relying on the URL being "hidden" (security through obscurity), without implementing any real authorization check (such as verifying the user's session role).
Step 4 — Delete the User
Simply click the Delete link next to carlos.
The page confirms:
User deleted successfully!User deleted successfully!And the users list now only shows wiener.
Step 5 — Lab Solved
The status badge in the top-right corner changes from "Not solved" to "Solved", and a congratulations banner appears:
"Congratulations, you solved the lab!"
The entire lab was solved in just 3 steps:
- Checked
robots.txt - Visited the hidden admin path directly
- Deleted the user — without any login or authentication
Why Does This Vulnerability Happen?
Developers sometimes assume that if a URL is hard to guess, it's safe. This flawed approach is called "security through obscurity." In the real world, mistakes like these show up as:
- Admin panels "protected" only by hiding the URL
- Sensitive paths leaking through
robots.txt, JS files, or sitemaps - Missing server-side role/permission checks
How to Fix This (Prevention)
- Add server-side authentication and authorization checks on every sensitive endpoint — never rely on URL obscurity or frontend checks alone.
- Implement role-based access control (RBAC) so every request verifies whether the user actually has the required privilege.
- Never put sensitive URLs in
robots.txt— this file should only be used for legitimate SEO crawling rules. - Conduct regular access control testing and code reviews so gaps like this are caught early.
Conclusion
This lab is a perfect beginner-friendly example of how a small misconfiguration — leaving an admin panel protected by nothing but URL obscurity — can compromise an entire system. Broken Access Control also sits at #1 on the OWASP Top 10, so understanding this concept well is essential for anyone in security or bug bounty hunting.
If you're learning web security, PortSwigger Web Security Academy has hundreds of similar free, legal, hands-on labs to practice with.
Happy (ethical) hacking!
👤 About the Author
Nitish Mukhiya is a security researcher and bug bounty hunter focused on web application security, currently sharpening his skills through PortSwigger's Web Security Academy.
Connect:
- 🐦 Twitter/X — @NITISHMUKHIYAJ
- 💼 LinkedIn — linkedin.com/in/nitishmukhiya
- 💻 GitHub — github.com/nitishmukhiyaji
- ✍️ Medium — medium.com/@nitishmukhiya
- 🌐 Portfolio — portfolio-livid-iota-e4saycgr44.vercel.app