User role controlled by request parameter

Description

This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.

Reproduction and proof of concept

Browse to /admin and observe that you can’t access the admin panel.
Browse to the login page.
In Burp Proxy, turn interception on and enable response interception.
Login with credentials wiener:peter, and forward the resulting request in Burp.
Observe that the response sets the cookie Admin=false. Change it to Admin=true.
Load the admin panel (keep setting Admin to true) and delete carlos.

Exploitability

An attacker will need to access the admin panel, and use it to delete the user carlos.