User ID controlled by request parameter with password disclosure | Dec 14, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: User ID controlled by request parameter with password disclosure! Without further ado, let’s dive in.

• Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

Background

This lab has user account page that contains the current user’s existing password, prefilled in a masked input.

To solve the lab, retrieve the administrator’s password, then use it to delete carlos.

You can log in to your own account using the following credentials: wiener:peter

Exploitation

Home page:

Login as user wiener:

In the previous labs, we found that the My account link is supplying an id GET parameter:

This time however, we also can see we can update our own password, and it’s prefilled in a masked input.

Hmm… Can we inspect that password?

Cool, we can see our own password.

How about using the My account link to view another user’s password? Like administrator:

To do so, I’ll use Burp Suite’s Repeater:

Now, we can view administrator’ password! bdxywccjia4y27fb9yty. Let’s login as administrator and delete user carlos!

We found the Admin panel!

What we’ve learned:

1. User ID controlled by request parameter with password disclosure