***In this tutorial you will learn how to abuse an unprotected admin

functionality.***

Prerequisites

• functional installation of burp
• Burp academy account.

Goal

To solve the lab, we have to delete de user carlos by accesing the admin panel

Tutorial

1 - Intercept the request

2 - Change the path for /robots.txt

3 - In the robots.txt file, you’ll find the admin panel path.

4 - In the intecepted request, change the path for /administrator-panel

and forward the request, you will now be able to delete the user carols.