User Role Controlled By Request Parameter Lab

The objective of this lab is to access the admin panel by way of a forgeable cookie and then deleting the user carlos. Credentials to log into the account of a non-admin user have been provided. Let’s get started! The lab gives access to a shopping site as shown below.

The instructions indicate that the admin panel is at /admin. Let’s try to access it. You get the following message.

Since you have no access to the admin panel in this, let’s try to log in to the account of the non-admin user with the credentials given (wiener:peter). Enter these credentials after clicking on My Account. You get the following interface.

I am using an extension known as Cookie-Editor on my browser which, as the name suggests, let’s me edit cookies. You can do the same using Burp Suite but I will use this extension due to easy access. By clicking on the extension while logged in as wiener, I see that there is a cookie for Admin which has been set to false.

You need to change the value to true. Doing so and then reloading the page adds a new option (Admin panel) on the top-right corner of the site.

Clicking on this option takes you to the admin panel where you can delete the user carlos

Following the deletion;