Challenge 5:Altering the Unalterable
This is a detailed writeup created for challenges associated with the Certified Web AppSecurity Expert (CWAE) certification.
Challenge/Task
- Altering the Unalterable
Proof-of-Concept (POC):
I discover a feature/endpoint/parameter which is not supposed to be modified or changed by the user. It is an email.
To proof it, I send a POST method to update my profile. Referring to the screenshot below, no parameter referring to an email. That’s mean, user cant change the email 
Looking at the source code, the id and name for the Email is “email”. I suspect that is the parameter 
We try again sending the same request. But this time, I include additional parameter “email” and assign any value to that. The response from server showing no error 
I go to my profile and find that my email address is changed. So here we can alter the unalterable parameters.
