User ID controlled by request parameter with password disclosure

https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure

Level: Apprentice

  • We need to retrieve a password like literally all the access control series.

  • If you complete the past labs, this lab is like the last we do.

  • Just change the id parameter to administrator or Carlos.

  • This time the in the response is filtering the password.

  • Log in as the user Administrator and complete the lab.

PreviousUser ID controlled by request parameter with data leakage in redirectNextInsecure Direct Object References (IDOR)

Last updated