User role can be modified in user profile (Apprentice Level)

In this video, I demonstrate how to solve the User Role Can Be Modified in User Profile lab from PortSwigger Web Security Academy. This lab highlights a critical access control vulnerability where a user’s role is improperly exposed and can be modified through the profile update functionality. Instead of enforcing authorization checks on the server side, the application allows role-related parameters to be updated via user-controlled input. By manipulating this request, an attacker can escalate privileges and gain unauthorized administrative access. In this walkthrough, we analyze the profile update feature, intercept the request using Burp Suite, and modify the role parameter to escalate privileges from a normal user to an administrator. Topics covered in this video: Understanding improper access control in user profiles Identifying sensitive parameters in profile update response Exploiting mass assignment for privilege escalation Gaining unauthorized admin access This vulnerability is a classic example of Broken Access Control, one of the most critical risks listed in the OWASP Top 10. The labs from PortSwigger Web Security Academy provide hands-on practice for learning real-world web application security issues and improving penetration testing skills. This video is useful for application security engineers, penetration testers, bug bounty hunters, and anyone preparing for security interviews or certifications.