User role controlled by request parameter | Dec 12, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: User role controlled by request parameter! Without further ado, let’s dive in.

• Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

Background

This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.

Solve the lab by accessing the admin panel and using it to delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Exploitation

Home page:

Login as user wiener:

In the lab background, it said:

This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.

Let’s view our cookies!

As you can see, there is a cookie called Admin, and it’s value is false.

Hmm… What if I change the value to true?? Will I become an administrator??

Now let’s go to the admin panel at /admin:

I’m allowed to go to the admin panel!

Let’s delete user carlos!

What we’ve learned:

1. User role controlled by request parameter