User role can be modified in user profile

In this post we will walk step by step on how to solve User role can be modified in user profile on PortSwigger. This lab’s difficulty is Apprentice and it is the fourth lab in the Access control labs on Portswigger.

Link to lab: https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile

To start the lab click the ‘Access the Lab’ button. Burp Suite Community Edition is all we need to solve this lab.

Credentials are provided for the user Weiner.

Navigating to the login page we can use the provided credentials to authenticate and login.

Now that we are logged in we can observe our account and the ability to update our email address.

Let’s update our email address to something simple and observe the HTTP Request and Response in Burp Suite.

View our POST Request we see our updated email in the JSON body.

The response provides us with other parameters such as username, apikey, roleid.

Knowing our roleid is 1 we could add another value in our POST Request to change roles.

Let’s try adding “roleid”:2 to our JSON body.

We can see the roleid has been updated in the response.

Back on the web page we can see we have changed our role to an administrator role and now we have access to the admin panel and have the ability to delete users.

Deleting carlos solves the lab.

That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Jarrod