Skip to main content

🗂️PortSwigger Lab Writeup: UserID Controlled by Request Parameter with Password Disclosure

PortSwigger lab banner: UserID controlled by request parameter with password disclosure

🎯 Objective

The objective of this lab is to exploit a broken access control where the app has a horizontal privilege escalation vulnerability on the user account page with password prefilled in a masked input. The goal is to access the admin panel and delete the user carlos.

  • Lab URL: https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-password-disclosure
  • Category: Access Control
  • Difficulty: Apprentice

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Shopping website homepage displaying product listings and navigation menu
    Login page interface with username and password fields
  • At first glance, the website seems to be a shopping website with a login page. In the lab description, it is mentioned that we need to access the admin panel and then delete the account of carlos.

📝Step 2: Retrieve Admin Credentials

  • Login with the credentials of user wiener to access the account page first. Login page with wiener credentials
  • Now, On user account page /my-account?=winer we can see the masked password of wiener.
  • Change the /my-account?=winer to /my-account?=administrator to access the account page of administrator. Administrator account page accessed via parameter tampering showing prefilled masked password
  • Now, Open the source code and Copy the password of Administrator.

🧑‍💼Step 3: Delete carlos

  • Login with the administrator credentials to access the admin panel. Login form with administrator username and password extracted from earlier step
  • Click on the Admin Panel. Admin panel dashboard showing user management interface User list in admin panel with delete options for all users including carlos
  • Click on the Delete option for carlos to delete the account. Lab solved confirmation message after successfully deleting carlos
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab demonstrated how password disclosure in masked input fields combined with horizontal privilege escalation enables complete account compromise. By changing the user parameter and viewing the HTML source, we extracted the administrator password and escalated privileges.
  • The impact is critical — sensitive information like passwords should never be prefilled in input fields, even if masked. Client-side masking provides no security as attackers can always inspect the HTML source or intercept the response.
  • Fix: never prefill sensitive fields like passwords, implement proper access control to prevent parameter-based enumeration, validate server-side that users can only access their own data, use secure password storage and transmission, and ensure sensitive data is not exposed in any part of the response including hidden form fields.