User ID controlled by request parameter with password disclosure
Description
This lab has user account page that contains the current user’s existing password, prefilled in a masked input.
Reproduction and proof of concept
Log in with
wiener:peter, and access the user account page.Change the “id” parameter in the URL to
administrator.View the response in Burp and observe that it contains the administrator’s password.
Log in to the administrator account and delete
carlos.
Exploitability
An attacker will need to retrieve the administrator’s password, then use it to delete carlos.