User role can be modified in user profile | Dec 12, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: User role can be modified in user profile! Without further ado, let’s dive in.

• Overall difficulty for me (From 1-10 stars): ★★★☆☆☆☆☆☆☆

Background

This lab has an admin panel at /admin. It’s only accessible to logged-in users with a roleid of 2.

Solve the lab by accessing the admin panel and using it to delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Exploitation

Home page:

Login as user wiener:

In here, we can Update email. Let’s intercept that request in Burp Suite’s Repeater!

It’s sending a POST request to /my-account/change-email, and contain a JSON data with our supplied email address.

Also, when we send the POST request, we can see the response is:

{
  "username": "wiener",
  "email": "wiener@normal-user.net",
  "apikey": "Qvbkfk3gByoLDZrgkvPw43om5BsJC7nz",
  "roleid": 1
}

Hmm… What if I set the roleid to 2?? Which is suppose to be user administrator!

{
  "email":"wiener@normal-user.net",
  "roleid": 2
}

Now, let’s try to go to the admin panel (/admin):

We can access the admin panel!!

Let’s delete user carlos!!

What we’ve learned:

1. User role can be modified in user profile