User ID controlled by request parameter with password disclosure
https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure
Description
This lab has user account page that contains the current user's existing password, prefilled in a masked input.
To solve the lab, retrieve the administrator's password, then use it to delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter
Solution
we can start login as wiener user
Checking this request we can see that this page has as the username 'wiener' as id parameter
and in the response there's a cleartext password!
So, trying to change the id with 'admnistrator' we're able to disclosure administrator's password:
Now we can login as administrator, access to Admin panel and delte 'Carlos' user completing the lab!
Last updated