Lab: User role can be modified in user profile
APPRENTICE
This lab has an admin panel at /admin. It's only accessible to logged-in users with a roleid of 2.
Solve the lab by accessing the admin panel and using it to delete the user carlos.
You can log in to your own account using wiener:peter.
Solution
Log in using the supplied credentials.
Click on "My Account" and submit a new email address.
Observe that the response contains your role ID.
Send the email submission request to Burp Repeater, add "roleid":2 into the JSON in the request body, and resend it.
Observe that the response shows your roleid has changed to 2.
Browse to /admin and delete carlos.
