# Level 3: User Role Controlled by Request Parameter

## <mark style="color:purple;">Objective</mark>

Solve the lab by accessing the admin panel and deleting the user carlos.

## <mark style="color:purple;">Explanation</mark>

In this lab, the admin panel is accessible at `/admin` and identifies administrators based on a forgeable cookie. The goal is to manipulate the cookie to impersonate an administrator and delete the user "carlos."

## <mark style="color:purple;">Resolution</mark>

1. First, go to the login page at `/admin`.
2. Log in using the credentials provided: `wiener:peter`.
3. Once logged in, you'll see that your username is "wiener," but the admin privileges are controlled by a cookie.
4. Open the browser's developer tools (press `F12` or `Ctrl + Shift + I`), navigate to the **Storage** tab, and select **Cookies**.
5. Look for the `Admin` cookie and change its value from `false` to `true`.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXc7S0Z5VIIuUU7y10fJskFFFzQuXaCUzJRANj38lunf49EIc_q5fCxy3Tc-JIU7UsJVGDPY5YmA5hU2LxELQOd1Zx3DWGifSrogT_OFNj_5Ev-UUeeumivUzr-mbtqjkUJcaivfAA?key=fa42owF2aOzdeWltlyWxs3tn" alt="" width="375"><figcaption></figcaption></figure>

6. After modifying the cookie, reload the page to reflect the change.
7. Now, you should be able to access the **Admin Panel** and delete the user "carlos."

## <mark style="color:purple;">Mitigation</mark>

* **Secure Cookie Management**: Use secure cookies with attributes like `HttpOnly`, `SameSite`, and `Secure` to prevent unauthorized access or tampering.
* **Role-based Access Control**: Implement robust role-based access control (RBAC) to ensure users cannot easily escalate their privileges.
* **Cookie Integrity**: Use server-side session validation instead of relying on cookies for critical roles like admin.
* **Input Validation**: Ensure that request parameters (including cookies) are properly validated and cannot be easily manipulated.