On this page
apsyleg1 min read
#portswigger #access-control #web-security
User ID Controlled by Request Parameter with Password Disclosure
Lab
User ID controlled by request parameter with password disclosure · Apprentice
Solution
Given
This lab has user account page that contains the current user's existing password, prefilled in a masked input.
To solve the lab, retrieve the administrator's password, then use it to delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter
Analyzing the task
The site has a page that displays the user's password. We need to find the administrator and get their password. Then delete user carlos.
Recon
Log in to the site:
GET /my-account?id=wiener
Yes, the password is in the response.
For the administrator:
GET /my-account?id=administrator
<input required type=password name=password value='5b8q4c801sij55bvvtfx'/>
Log in as administrator / 5b8q4c801sij55bvvtfx. Delete the user. Lab solved.
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.