Instructions & Explanation

This lab demonstrates how weak or missing access control allows attackers to reach protected areas without proper authentication.

Credentials (Hint):
Try user1, user2, or user3 with weak passwords from common lists like this one.

How to Break In:

• Left Side: The form checks credentials using this query: SELECT * FROM bac_users WHERE username = ?. Then compares the password in PHP.
  
  🔥 The bad logic is here:
  if ($password === $user['password'])
  ➤ This accepts plain-text passwords and ignores hashing.
• Right Side: This bypass is hardcoded:
  if (isset($_POST['admin_username'])) { header("Location: admin_panel.php"); }
  🔓 No actual authentication is done — this is a logic flaw.

Why This Matters:
Access control is meaningless if:

• You rely only on frontend logic or bypassable checks.
• You skip password validation entirely (like the Admin form).
• You store plain-text passwords instead of hashed ones.

👁️ Show Solution