User role controlled by request parameter


This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.

Reproduction and proof of concept

  1. Browse to /admin and observe that you can’t access the admin panel.

  2. Browse to the login page.

  3. In Burp Proxy, turn interception on and enable response interception.

  4. Login with credentials wiener:peter, and forward the resulting request in Burp.

  5. Observe that the response sets the cookie Admin=false. Change it to Admin=true.

  6. Load the admin panel (keep setting Admin to true) and delete carlos.


An attacker will need to access the admin panel, and use it to delete the user carlos.