JESS' SECURITY QUEST
OWASP TOP 10 View Guide

Privilege Escalation - Role Manipulation

Easy A01:2021 - Access Control 150 points
Challenge Description

This application has a critical flaw: the server accepts role changes from client-side requests without proper authorization checks.

  • Profile updates accept a role parameter from the client
  • API endpoints accept roleOverride for authorization
  • No server-side validation of role change permissions

You start as a regular User. Your goal is to escalate to SuperAdmin and access the master key.

Learning Objective: Understand why authorization decisions must never rely on client-provided data.

Current User Status

Username: regular_user

Role: User

User ID: 4

Permissions:

  • read
Update Profile (Vulnerable)
In a secure app, this field wouldn't be editable by regular users!
Request Payload: 
POST /api/users/4/profile
{
    "username": "regular_user",
    "role": "User"
}
Admin Panel
API Endpoint Tester (Vulnerable)
This parameter should never be accepted from clients!
Submit Flag
Hints -10% per hint
Debug Options
Role Hierarchy
  • SuperAdmin - Full system access
  • Admin - Administrative access
  • Moderator - Content moderation
  • User - Basic access (you are here)
An error has occurred. This application may no longer respond until reloaded. Reload Dismiss