User ID controlled by request parameter with password disclosure

https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure

Description

This lab has user account page that contains the current user's existing password, prefilled in a masked input.

To solve the lab, retrieve the administrator's password, then use it to delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

we can start login as wiener user

Checking this request we can see that this page has as the username 'wiener' as id parameter

and in the response there's a cleartext password!

So, trying to change the id with 'admnistrator' we're able to disclosure administrator's password:

Now we can login as administrator, access to Admin panel and delte 'Carlos' user completing the lab!

Last updated 10 months ago