# User ID controlled by request parameter with password disclosure

#### [Horizontal to vertical privilege escalation](https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/access-control-apprentice/access-control/horizontal-to-vertical-privilege-escalation)

## Description

This lab has user account page that contains the current user's existing password, prefilled in a masked input.

To solve the lab, retrieve the administrator's password, then use it to delete the user `carlos`.

You can log in to your own account using the following credentials: `wiener:peter`

## Solution

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FwtMHwSHBS4MyjOblP17M%2Fimage.png?alt=media&#x26;token=0cd3ab9a-c7d5-42ec-9312-fc612f049a3c" alt=""><figcaption></figcaption></figure>

we can start login as wiener user

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FzIhYoFxGpKHONuTa7N7j%2Fimage.png?alt=media&#x26;token=86527765-0e50-43ac-9e41-c40aaf0b60cc" alt=""><figcaption></figcaption></figure>

Checking this request we can see that this page has as the username 'wiener' as id parameter

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FfNexnbGpCZyJdRd0YBvp%2Fimage.png?alt=media&#x26;token=45303c0d-9da1-42eb-b698-8dcace75d3b2" alt=""><figcaption></figcaption></figure>

and in the response there's a cleartext password!

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FnxK1l9KZACCbwIVBvzYY%2Fimage.png?alt=media&#x26;token=fde6282e-fb57-48fe-8a26-6fa83e3a944e" alt=""><figcaption></figcaption></figure>

So, trying to change the id with 'admnistrator' we're able to disclosure administrator's password:

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FhGIdBf0HwvwOAUGJANr2%2Fimage.png?alt=media&#x26;token=f5cb6ecc-1e65-4857-96b3-e2897b3be8fc" alt=""><figcaption></figcaption></figure>

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FzUvLG65aA3BJSnhhrvnu%2Fimage.png?alt=media&#x26;token=7c0b770e-c94a-4fc8-8095-37454d1a8ade" alt=""><figcaption></figcaption></figure>

Now we can login as administrator, access to Admin panel and delte 'Carlos' user completing the lab!

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FVTn86jwM2Juo4SdtEsBh%2Fimage.png?alt=media&#x26;token=5f47367b-8939-4690-8539-74bccb82e783" alt=""><figcaption></figcaption></figure>

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FbXIQhCtBScCOcNrnGide%2Fimage.png?alt=media&#x26;token=99a1761c-4119-45cf-bbba-a75c0c61eede" alt=""><figcaption></figcaption></figure>

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FT5JLwf47HnUY7pYk0gzn%2Fimage.png?alt=media&#x26;token=c86522b1-a238-4db8-850e-ddaab131d7f7" alt=""><figcaption></figcaption></figure>