User ID controlled by request parameter with password disclosure
https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure
Last updated
https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure
Last updated
This lab has user account page that contains the current user's existing password, prefilled in a masked input.
To solve the lab, retrieve the administrator's password, then use it to delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
we can start login as wiener user
Checking this request we can see that this page has as the username 'wiener' as id parameter
and in the response there's a cleartext password!
So, trying to change the id with 'admnistrator' we're able to disclosure administrator's password:
Now we can login as administrator, access to Admin panel and delte 'Carlos' user completing the lab!