Level 4: User role can be modified in user profile

Objective

Solve the lab by accessing the admin panel and deleting the user carlos.

Explanation

This lab features a vulnerable user profile page where the user role can be modified. By modifying the roleid from 1 to 2, the user can gain admin privileges and access the admin panel to delete the user "carlos."

Resolution

  1. Log in using the provided credentials: wiener:peter.

  2. Attempt to intercept the login request with Burp Suite but without success.

  3. Go to the Change Email page under /my-account/change-email.

  4. Inspect the request and response. You will find the "roleid":1 in the response.

  5. Send the request to Burp Suite's Repeater.

  6. Modify the roleid value in the request to 2 (admin role) and send the modified request.

  1. Refresh the page, and you should now see the admin panel button.

  2. Access the Admin Panel and delete the user "carlos."

Mitigation

  • Role-based Access Control (RBAC): Ensure that sensitive roles (like admin) are assigned and controlled securely, and cannot be modified by users via client-side requests.

  • Server-side Validation: Always validate and verify roles server-side before granting access to privileged areas like the admin panel.

  • Secure Profile Management: Prevent users from modifying critical attributes (such as roleid) by enforcing server-side logic.

  • Use of HTTP Headers and Session Management: Strengthen session management with proper authentication and authorization checks, such as using secure cookies and tokens.

PreviousLevel 3: User Role Controlled by Request ParameterNextLevel 5: User ID Controlled by Request Parameter

Last updated