User ID controlled by request parameter with password disclosure
https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure
Last updated
https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure
Last updated
Let's login using the following credentials:
Username | Password |
---|---|
wiener | peter |
We can see that the password is included in the input field for resetting the password. However this password is hidden.
Let's view this in the Proxy > HTTP History
tab.
We can clearly see the value of the password. We can view the administrator's password in a similar manner. Let's forward the request to the Repeater
and set the id
parameter to the following:
Now we can login as the administrator using the following credentials:
Username | Password |
---|---|
administrator | eg9yjeq3lztdlfb0bnay |
We now have access to the admin panel.
Let's delete the carlos
user.
We have solved the lab.