User ID controlled by request parameter with password disclosure

https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure

Let's login using the following credentials:

Username
Password

wiener

peter

We can see that the password is included in the input field for resetting the password. However this password is hidden.

Let's view this in the Proxy > HTTP History tab.

We can clearly see the value of the password. We can view the administrator's password in a similar manner. Let's forward the request to the Repeater and set the id parameter to the following:

administrator

Now we can login as the administrator using the following credentials:

Username
Password

administrator

eg9yjeq3lztdlfb0bnay

We now have access to the admin panel.

Let's delete the carlos user.

We have solved the lab.

Last updated

Was this helpful?