User ID controlled by request parameter with password disclosure
Let's login using the following credentials:
| Username | Password |
|---|---|
| wiener | peter |
We can see that the password is included in the input field for resetting the password. However this password is hidden.
Let's view this in the Proxy > HTTP History tab.
We can clearly see the value of the password. We can view the administrator's password in a similar manner.
Let's forward the request to the Repeater and set the id parameter to the following:
administrator
Now we can login as the administrator using the following credentials:
| Username | Password |
|---|---|
| administrator | eg9yjeq3lztdlfb0bnay |
We have access to the admin panel.
Let's delete the carlos user.
We have solved the lab.