Level 8: User ID Controlled by Request Parameter with Password Disclosure
Objective
Solve the lab by retrieving the administrator's password and using it to delete the user "carlos".
Explanation
This lab demonstrates a vulnerability where the current user's password is disclosed in a prefilled masked input field. By modifying the user ID in the request parameter, an attacker can access another user's (in this case, the administrator’s) account information, including the password. This allows the attacker to log in as the administrator and perform privileged actions, such as deleting users.
Resolution
Log in to your account using the provided credentials:
wiener:peter.Navigate to the "My Account" page where your username and options to change your email and password are displayed.
Modify the URL to change
wienertoadministrator(e.g.,/my-account?id=administrator).After this, the username will show as "administrator" and the password field will now display a longer password. You have two options:
Change the password to something you want.
Reveal the password using the browser's developer tools (right-click the password field and choose "Inspect", then change the
type="password"totype="text").
Once you have the administrator's password, log out and log back in using the credentials
administratorand the revealed password.Go to the Admin Panel and delete the user "Carlos" to complete the lab.
Mitigation
Access Control: Ensure that users cannot access or modify other users' sensitive information. Implement proper authorization checks on all request parameters, especially those that control user identity.
Password Disclosure: Never expose passwords, even in a masked form, in the response body or in the DOM. Use secure methods for password management (e.g., hashed and salted passwords) and ensure that sensitive fields are not prefilled.
Session Management: Do not allow users to modify their session or user ID through URL parameters or request modifications. Always validate and sanitize input data on the server side.
Last updated