User role can be modified in user profile
https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile
Level: Apprentice
The following challenge tells us to log in and delete user Carlos.
We will do that using the
roleid
parameter in the modified requests.
Making some recon, you will notice that the requests we are making to change the user email is in JSON format
We can try to add the
roleid
parameter with the value of 2 as said in the beginning.
add the
roleid
this way
Once you make the modified requests you will see that we can access an "admin feature".
Click on it to delete user Carlos and Complete the challenge.
Last updated