Post

PS Access control lab - User role can be modified in user profile

Objective: This lab has an admin panel at /admin. It’s only accessible to logged-in users with a roleid of 2. Solve the lab by accessing the admin panel and using it to delete the user carlos. You can log in to your own account using the following credentials: wiener:peter.

  1. When trying to access /admin with the user wiener:

  2. If we try to update wiener’s email, intercept the request, and send it to the Repeater it looks like this:

  3. We can see the POST request includes the email parameter, but the response includes the roleid parameter, among others. Thus, we can intercept the request with Proxy, add the roleid parameter and set its value to 2:

  4. Now that we have access to the admin panel, we can delete carlos and solve the lab:

This post is licensed under CC BY 4.0 by the author.