Burp Suite User Forum

Login to post

How can I "Observe that the response contains your role ID."

Ludovico | Last updated: Dec 28, 2019 01:43PM UTC

Hi, I'm stuck at the fourth excercise of the Web Security Academy Lab. https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile SOLUTION: Log in using the supplied credentials. [DONE] Click on "My Account" and submit a new email address. [DONE] Observe that the response contains your role ID. [NO, CAN'T OBSERVE ANYTHING.] What I already did: I went to Proxy--Option--Intercept Server Responses and enabled "Intercept responses based on the following rules". Then tried variuos combinations like this one: "OPERATOR: Or; MATCH TYPE: Content type header; RELATIONSHIP: Matches; CONDITION: json". But it's useless, it show always only three responses. None of which show roleid. But they all did show at the end not-unicode characters like ”–Z>9h`Y{ý’¹ü@à˜Üê‡ÿØ+§¹Ù. Is this the way to display roleid? Should I use in some way the API key given to decode these characters? Thanks for the attention.

Hannah, PortSwigger Agent | Last updated: Dec 31, 2019 11:11AM UTC

If you go to your HTTP history, you should see a POST request for your "change email" submission. If you click on that and navigate to the Response tab, you should see some JSON with the information required. You could also turn Intercept on just before you press the update email button, which would save you having to go through your HTTP history.

Burp User | Last updated: Jan 06, 2020 09:26PM UTC

I'm having the same problem, though using browser dev tools instead of Burp Suite. I wonder if something has changed in the Lab files? In my HTTP history, I don't see any response data at all -- the "change email" submission just returns a 302 redirect back to the main store page (expected behavior as per the JavaScript code in changeEmail.js). No JSON data is provided from the server. Also, submitting a "roleid": 2 value anyways causes an error on the server. I get a response back that either says "{"error":"Read timeout after 10000ms"}" with status code 400, or "Internal Server Error" with status code 500. I wonder if something on the back-end is not working correctly? Any chance to verify this? Thanks for the great exercises!

Ben, PortSwigger Agent | Last updated: Jan 07, 2020 09:06AM UTC

Hi Bob, I just tried this lab (using Burp) and was able to successfully solve it using the solution provided. As mentioned previously, the "change email" action should create a POST request in your HTTP history and the server response, for me, contains the following JSON: { "username": "wiener", "email": "test@hotmail.com", "apikey": "9euwcuw2lUdnLBqaryQbdT9kBwvR4HqO", "roleid": 1 } I can then resend the POST request with the following JSON included in the body: {"email":"test@hotmail.com","roleid": 2} Perhaps you could try to complete the lab using a version of Burp to see if that makes any difference?

Burp User | Last updated: Jan 08, 2020 01:36AM UTC

Hi Ben, thanks for the response. I've gotten the exercise to work using Python and by not following the redirects -- something the browser does automatically with no way I can find to prevent it. I assume Burp Suite does something similar under the covers and that is why it works with Burp. Thanks!

Ben, PortSwigger Agent | Last updated: Jan 08, 2020 08:17AM UTC

Hi Bob, Yes, you are correct. The Burp Repeater tool, that is generally used to manipulate and reissue requests for testing, allows you to configure how redirects are handled with the default being that they are not followed automatically. Glad to hear that you were able to solve the issue and proceed with the lab. Please let us know if you require any further assistance with anything else in the future.

Burp User | Last updated: Jan 23, 2020 02:02AM UTC

You are unable to do at first instance because of ',' in JSON separate entities with ,

Burp User | Last updated: Feb 02, 2020 06:44AM UTC

Browser: Firefox Developer Edition 65.0b10 (64-bit) [DevTools] I had the same issue(s) as described above. I.e., wasn't receiving any response from the '302 POST' after submitting the new user email. Here's what worked for me... In 'Network' tab, ran the exercise as explained. Found the '302 POST' reply, right clicked, selected 'Edit and Resend.' In 'Request Headers,' deleted all but the, 'Host,' Referer,' and 'Cookie' data fields. In 'Request Body,' formatted as follows: { "username":"wiener", "email":"YOUR SESSION EMAIL HERE", "apikey":"YOUR SESSION KEY HERE", "roleid":2 } Resent to: https://ac171f971ffdc9b68013afac003f0095.web-security-academy.net/my-account/change-email Went to: /admin Hope that helps...

You need to Log in to post a reply. Or register here, for free.