# Cafe Club

> Our favorite coffee webshop has the hint ***time to update your profile*** today.

Once I logged in, I went to the profile page to update my profile. First thing I saw was the `update password` functionality. But when I went to inspect the traffic, I didn't saw anything suspicious.

I saw in BurpSuite when I requested my profile the API returned `{"role":"user"}`, so maybe if I update my profile and add that extra property, maybe I'd become an admin.

<figure><img src="https://2622029278-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV7OebgUO4GDe408WfphF%2Fuploads%2Fju2rejWdn9nNMRbVi5vU%2Fafbeelding.png?alt=media&#x26;token=ec004e21-2029-47c5-baa2-4a3c8cda6289" alt=""><figcaption></figcaption></figure>

The profile updated successfully, but unfortunately, this didn't reflect in the frontend. However, it is kinda strange that the PUT request came through. So maybe with another property? Inside the `GET /api/profile` I also saw a `points` property.

<figure><img src="https://2622029278-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV7OebgUO4GDe408WfphF%2Fuploads%2FbAdCwsULghxilhkz3BEW%2Fafbeelding.png?alt=media&#x26;token=cf8d9fd3-8977-4d9f-b112-304b2e0d7711" alt=""><figcaption></figcaption></figure>

&#x20;Maybe I could give myself some extra points?

<figure><img src="https://2622029278-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV7OebgUO4GDe408WfphF%2Fuploads%2Fo8qdHEF18E42ScRLpJaW%2Fafbeelding.png?alt=media&#x26;token=829d58d3-aa17-4cb9-862b-eb538b84382f" alt=""><figcaption></figcaption></figure>

That did the trick! And I got my flag 🇧🇪