Lab: User role can be modified in user profile
This lab has an admin panel at
/admin. It's only accessible to logged-in users with a
roleid of 2.
Solve the lab by accessing the admin panel and using it to delete the user
You can log in to your own account using the following credentials:
- Log in using the supplied credentials and access your account page.
- Use the provided feature to update the email address associated with your account.
- Observe that the response contains your role ID.
Send the email submission request to Burp Repeater, add
"roleid":2into the JSON in the request body, and resend it.
Observe that the response shows your
roleidhas changed to 2.