The power of “role”: “admin”

medium.com · Deepanshu Deep · 13 days ago · research
quality 7/10 · good
0 net
Tags
bug-bounty
The power of "role": "admin" | by Deepanshu Deep - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original The power of "role": "admin" Since the day I started using the internet, I always wondered why websites usually had something called role:user. Many years ago, when… Deepanshu Deep Follow ~3 min read · March 26, 2026 (Updated: March 26, 2026) · Free: Yes Photo by Cloudways Since the day I started using the internet, I always wondered why websites usually had something called role:user . Many years ago, when websites weren't as fancy as they are nowadays, these things used to be visible. But now, they are hidden somewhere else. This always made me think: what is the use of this role? Why is a website mentioning the role? Is it important or just part of rendering? As time passed, I started learning bug hunting. The day I learned how important that small role is, everything changed. A single change to this parameter can impact the whole website. Let's come to the real game The role parameter decides what privileges you get when you enter the website, what actions you can perform, and what you are allowed to see. Let's suppose someone is an admin of the website. They will have role:admin , while a normal user will have role:user . An admin controls the website, so they have higher privileges, whereas a normal user has very limited access. The bug hunter perspective Whenever we see the role, we start to play with it, sometimes trying to leave it blank, and sometimes changing user to admin . Whenever, as a bug hunter, you see such parameters, it is always worth changing them and checking how the application behaves. In earlier days, these values used to be visible on the website, but nowadays they are hidden. However, always keep in mind that no matter how a website is built, in the end it is rendered using HTML, CSS, and JavaScript, because that is what browsers understand. Capturing the vulnerability Whenever you try logging into a website, always intercept the traffic and check what values are being sent as input, because sometimes the application includes hidden parameters that you didn't even enter. For this, you can use Burp Suite, Turn the interceptor on, and you will be able to see exactly what is going on behind the scenes. Enhanced using AI If you want to learn how Burp Suite works, you can check out the excellent training provided by PortSwigger Academy . After intercepting the request, if you see that the role is being sent as a parameter, then go ahead and test it. Try changing it to values like null , 1 , 0 , admin , user , and more, and analyze how the website behaves. If the website accepts the modified parameter, congratulations, you may have bypassed the access control and found a critical (P1) vulnerability, commonly referred to as an authentication or authorization bypass. In the next article, I will share how I used the same technique to find this vulnerability on the Blockchain India Challenge website. Happy Hunting #bug-bounty #cybersecurity Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories