Creating a User with Admin Privileges
Start course
2h 6m

This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges. This will give us opportunity to practice what we have learned so far, and also learn about new techniques and new vulnerabilities as well, such as XX vulnerabilities.


Hi, within this lecture, we're going to continue using some of the three-star challenges to improve our skills, okay? As you can see, the first challenge for me, at least for me is to register as a user with administrator privileges. So far, we have actually gathered the password of the administrator but we couldn't create any user that is actually an administrator, right? So, it's asking for us to do that. So, what do you do if you see something like this? What do you test? Of course, you're going to have to go to registry page and try to see what happens in the Burp Suite, right? So, it's the way to go. So, what I'm going to do, I'm going to come over here to registry, okay? And I'm going to open the Burp Suite, make sure my intercept is on to see what's going on over there. I'm going to give an email over here. So, I'm going to say or...Yeah, it's intercepting right now because it has a filter if you might remember. It's searching for the username and let's give it a random password like 123456. So, 123456. Let's give it a test over here as well. So, everything seems to be fine. I'm trying to create a real user by the way, I'm not doing any kind of additional tests over here. So, I'm going to forward this until I see my parameters. So, that's not what I'm looking for, let me forward this. Yep, this as well. Just forward it until you see this parameter. So, here we go. We see the email, we see the password, we see everything. So, there's no funny thing over here, everything seems to be okay. What I'm going to do, I'm going to open just send this to Repeater and test it over there. So, I have this on Repeater, I can just try it as many as I want. I'm going to send this and in the right hand side in the response, I got a success back because I did everything right. So, there is nothing wrong over there. So, as you can see username doesn't exist because we're going to choose that username later on, so there is nothing wrong over here. But there is a role section and it says customer. So, this might be interesting, right? So, this is pretty commonly used by the web applications so you define roles like admin, administrator, manager, moderator, customer and the other parameters are just the expected parameters, okay? There is nothing wrong with them but we have to focus on this role. For example, we don't have any role input in the request but we have a response over here stating the role, right? So, what might happen over here, we don't know it yet but we just send the request, maybe it's adding that specific role parameter here automatically in the server, okay? And maybe if we sent that with a specific role parameter then it will accept it. We don't know if that's the case but certainly we can try it because we see the role parameter over here. So, what I'm going to do, I'm going to override this and I'm going to just try admin or administrator in this case and see if it works or not, right? So, after the security answer for the last parameter over here, okay? Just make sure you write it maybe over here actually, I didn't get a new parameter but it may not work because it's, I believe it's sending this as JSON. So, rather than going to the parameters, I'm going to come over here, okay? And make sure stay in the curly braces not below and after the security answer put a comma and then hit 'Enter', okay? So, you have to put a comma, otherwise it won't work and hit 'Enter' to write it over here. So, I'm going to say role and with colon, I'm going to say admin like this and they're inside of double quotation marks as you can see both the role and the admin itself. So, I'm going to change the email because this email already exists in the database right now. I'm going to send this and see what happens. So, here we go. We have a status of success and the thing is the role is admin in this case. Now, let's see if we made it. So, I'm going to turn the intercept off over there, okay? And I'm going to, as you can see we already solved it. We can see it but I'm going to make sure because I want to log in with this our newly created account and see if this is really administrator. So, I'm going to say and for the password, I'm just going to give 123456. I'm going to log in. Here we go. Now we are logged in. It solves, it actually shows us you solved that challenge so we should be able to reach the scoreboard and stuff and here we go. Now we managed to solve this problem as well. So, there is another funny thing over here, like submit 10 or more customer feedbacks within 10 seconds. They should be fun as well, right? Now we're going to stop here and focus on this challenge in the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.