User role can be modified in user profile
https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile
Last updated
https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile
Last updated
Let's login using the following credentials:
Username | Password |
---|---|
wiener | peter |
Once logged in, we can change our email address.
Since we are proxying the traffic through Burp Suite, we can view the request by going to Proxy > HTTP History
.
We can see that the response contains the following key:value pair:
Let's forward this request to the Repeater
and include the key:value pair in the body of the request.
Now we can access tot admin panel using our browser.
Let's delete the carlos
user.
We have solved the lab.