Open in app

Sign in

Write

Sign in

Bypassing Admin Panel via Unprotected Registration Endpoint

SRLSEC 🇮🇳
3 min readFeb 16, 2025

During one of my routine bug-hunting sessions, I encountered a website with a visible login page but no registration option. Out of curiosity, I explored the site’s behavior and discovered a critical vulnerability that allowed me to register a super admin account by adding a parameter to the request. This simple exploit led to a complete compromise of the admin panel.

Step 1: Discovery - Guessing the Registration Endpoint

I noticed the website had a login page but no visible registration page.

I guessed and visited /register by changing the URL path from /login to /register.

Then completed the form and clicked the Register button, but unexpectedly, the registration page prompted me to input a role ID.

Step 2: Manipulating the Registration Request with Burp Suite

Using Burp Suite, I intercepted the registration request and observed the following:

POST /register HTTP/1.1
Host: target.com
Content-Type: application/json

{
  "name": "socine",
  "cug_number": 1
  "email": "socine6642@prorsd.com",
  "password": "Password123",
  "password_confirmation": "Password123"
}

The server responded with:
“role id field is required”

This confirmed that the backend expected a role_id value, even though it wasn’t displayed on the registration form. I added the role_id parameter manually. Based on standard role structures, role_id = 1.

POST /register HTTP/1.1
Host: target.com
Content-Type: application/json

{
  "name": "socine",
  "cug_number": 1
  "email": "socine6642@prorsd.com",
  "password": "Password123",
  "password_confirmation": "Password123"
  "role_id": 1
}

The server redirected me to the homepage without any error or confirmation message. This was suspicious but promising.

Step 3: Verification — Confirming Account Creation & Logging In

I returned to the /register page and tried to register again with the same email. This time, the server responded with:

“The email has already been taken”

This confirmed that the account was successfully created.

Then I visited the login page and entered the newly created credentials.

BOOM 💥 — Logged in as a SUPER ADMIN!

Now I had full access to the admin panel.

X : https://x.com/srlsec_

Instagram: https://www.instagram.com/srlsec/#

Youtube: www.youtube.com/@srlsec

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Login Bypass

SRLSEC 🇮🇳
SRLSEC 🇮🇳

Written by SRLSEC 🇮🇳

203 Followers
22 Following

Offensive Web Application Security

Responses (1)

Write a response

What are your thoughts?

hajmed

Feb 16

Super bro... Clear writeup🔥

--

More from SRLSEC 🇮🇳

See all from SRLSEC 🇮🇳

Recommended from Medium

Lists

Staff picks

827 stories1648 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2819 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams