We logged in using the wiener account and tried to edit the response and then change the id value.
We changed the response id value to 2.
We could also see that we get a GET request using that ID; however, that attempt failed and we were redirected to the login page.
We then tried to abuse the “Update Email” parameter to see whether it was vulnerable:
We updated our email to the same email, and upon sending the request, we were able to see the roleid parameter returning as 1 in the response.
We added a roleid parameter in our request and set it to 2, and were able to see that it was set to 2 in the response as well.
We were then able to refresh the page, access the admin panel, delete the user carlos, and solve the lab.
