# CTF - param abuse

There are some cases that you can modify the HTTP request parameter to become an admin or privileged users for web access. 

This example shows you can change the POST request parameter in body - acctype=1 to 2 to become an administrator (Step 2). 

<figure><img src="https://4082237222-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA4bAkddGXesk1QCLYAY%2Fuploads%2F0cFWpmAQJuUjRLUyp5FT%2Fimage.png?alt=media&#x26;token=dd32b96c-55d6-4d42-a795-4c057d19a12b" alt=""><figcaption></figcaption></figure>

This is another example by adding the 'role' parameter and 'admin' value.  /\*\*/ is a single space in the URL to bypass a filter. Note that this can be analyzed by having the source code ready.&#x20;

<figure><img src="https://4082237222-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA4bAkddGXesk1QCLYAY%2Fuploads%2F4n9yzB9Xy2F1WdtGhk3h%2Fimage.png?alt=media&#x26;token=afe4c3e3-9756-4d86-9fbd-a5ba7d9d67ec" alt=""><figcaption></figcaption></figure>