Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: User ID controlled by request parameter with password disclosure

APPRENTICE

This lab has user account page that contains the current user's existing password, prefilled in a masked input.

To solve the lab, retrieve the administrator's password, then use it to delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

ACCESS THE LAB

Solution

  1. Log in using the supplied credentials and access the user account page.
  2. Change the "id" parameter in the URL to administrator.
  3. View the response in Burp and observe that it contains the administrator's password.
  4. Log in to the administrator account and delete carlos.

Community solutions

Rana Khalil
Michael Sommer (no audio)

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find access control vulnerabilities using Burp Suite

Try for free