User role controlled by request parameter (Apprentice Level)

In this video, I demonstrate how to solve the User Role Controlled by Request Parameter lab from PortSwigger Web Security Academy. This lab highlights a critical access control vulnerability where the application determines user privileges based on a client-controlled request parameter. Instead of enforcing roles securely on the server side, the application relies on a parameter (such as cookie value) in the HTTP request. This allows an attacker to manipulate the parameter value and escalate privileges, gaining unauthorized access to administrative functionality. In this walkthrough, we modify the cookie parameter value, and demonstrate how improper access control can lead to privilege escalation. Topics covered in this video: Understanding User Role manipulation vulnerabilities Identifying client-controlled access control mechanisms Exploiting parameter-based privilege escalation Gaining unauthorized admin access This vulnerability falls under Broken Access Control, one of the most critical risks listed in the OWASP Top 10. The labs from PortSwigger Web Security Academy provide hands-on practice for learning real-world web security vulnerabilities and improving penetration testing skills. This video is useful for application security engineers, penetration testers, bug bounty hunters, and anyone preparing for web security certifications or interviews. ⚠️ This demonstration is performed in a controlled lab environment for educational purposes only. Do not attempt these techniques on systems without proper authorization.