[Access Control] Lab 5: User role controlled by request parameter

 [Access Control] Lab 5: User role controlled by request parameter

about this lab:

This lab is apart of the Journey in getting the burp suite certified practitioner certification, and it is apart the the Server side vulnerabilities path way.

these were the 3 places i looked from what i learned so far. now all that is left is to check the the raw HTML doc.

I went ahead and started exploring the site and hit My account in top right corner of the web page.

and was able to find the login page for this application.

Lets turn on the proxy and give a test input to see how the application behaves when we give it input i have a feeling the url might give up some information based off of the query we pass. ALSO WE LOGIN WITH wiener:peter

now that i logged in I get a webpage asking for my email also notice that since a session cookie has been a established now we are upgraded to web sockets.

notice also the admin=false i change that to True and got the admin page button to pop up

clear image:

This is what the Button i made this request from

after this i was able to modify the user and deleted Carlos completing the lab: