User role controlled by request parameter
This lab has an admin panel at
/admin, which identifies administrators using a forgeable cookie.
Reproduction and proof of concept
/adminand observe that you can’t access the admin panel.
Browse to the login page.
In Burp Proxy, turn interception on and enable response interception.
Login with credentials
wiener:peter, and forward the resulting request in Burp.
Observe that the response sets the cookie
Admin=false. Change it to
Load the admin panel (keep setting Admin to
true) and delete
An attacker will need to access the admin panel, and use it to delete the user