[Write-up] Broken Access Control: Exploiting a Multi‑Step Role Change Flow for Unauthorized Admin Promotion.
Disclaimer:
The techniques described in this document are intended solely for ethical use and educational purposes. Unauthorized use of these methods outside approved environments is strictly prohibited, as it is illegal, unethical, and may lead to severe consequences.It is crucial to act responsibly, comply with all applicable laws, and adhere to established ethical guidelines. Any activity that exploits security vulnerabilities or compromises the safety, privacy, or integrity of others is strictly forbidden.
This lab demonstrates a broken access control vulnerability in a multi-step role change process on an admin panel. The process is intended for administrators to promote or demote user roles.
Users normally should not have access to any admin functionality, including changing roles.