# Level 4: User role can be modified in user profile

## <mark style="color:purple;">Objective</mark>

Solve the lab by accessing the admin panel and deleting the user carlos.

## <mark style="color:purple;">Explanation</mark>

This lab features a vulnerable user profile page where the user role can be modified. By modifying the `roleid` from 1 to 2, the user can gain admin privileges and access the admin panel to delete the user "carlos."

## <mark style="color:purple;">Resolution</mark>

1. Log in using the provided credentials: `wiener:peter`.
2. Attempt to intercept the login request with Burp Suite but without success.
3. Go to the **Change Email** page under `/my-account/change-email`.
4. Inspect the request and response. You will find the `"roleid":1` in the response.
5. Send the request to Burp Suite's **Repeater**.
6. Modify the `roleid` value in the request to `2` (admin role) and send the modified request.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXckn6gWta7fEjPIZ04cPP-1pwPIwRYCdojkEmRQ225aTZUiyiGF1wps395b5qajDM58O7l0U4yN6gz1YWnkZbUQYg71KtB8m-P5ClmkEDUxfw7AgqvYKqQJsJGcAAFMbkYkPX70wA?key=fa42owF2aOzdeWltlyWxs3tn" alt="" width="375"><figcaption></figcaption></figure>

7. Refresh the page, and you should now see the admin panel button.
8. Access the **Admin Panel** and delete the user "carlos."

## <mark style="color:purple;">Mitigation</mark>

* **Role-based Access Control (RBAC)**: Ensure that sensitive roles (like admin) are assigned and controlled securely, and cannot be modified by users via client-side requests.
* **Server-side Validation**: Always validate and verify roles server-side before granting access to privileged areas like the admin panel.
* **Secure Profile Management**: Prevent users from modifying critical attributes (such as `roleid`) by enforcing server-side logic.
* **Use of HTTP Headers and Session Management**: Strengthen session management with proper authentication and authorization checks, such as using secure cookies and tokens.