Scribd
Upload
102 views4 pages

User ID Exploitation in Lab 9

1) The document describes a lab experiment where the user logged in as "wiener" and was able to access the administrator account page by changing the request ID parameter to "administrator", revealing the administrator's password in the response. 2) With this password, the user logged in as the administrator and accessed the admin panel to delete another user, completing the lab. 3) The lessons highlighted are to not include user identifiers directly in requests and that passwords can be deduced from responses with basic HTML knowledge of how password fields work.

Uploaded by

DODOXD Mekheimer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
102 views4 pages

User ID Exploitation in Lab 9

1) The document describes a lab experiment where the user logged in as "wiener" and was able to access the administrator account page by changing the request ID parameter to "administrator", revealing the administrator's password in the response. 2) With this password, the user logged in as the administrator and accessed the admin panel to delete another user, completing the lab. 3) The lessons highlighted are to not include user identifiers directly in requests and that passwords can be deduced from responses with basic HTML knowledge of how password fields work.

Uploaded by

DODOXD Mekheimer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Lab 9 - User ID controlled by request parameter with password

disclosure.
Ahmed Khaled Saad Ali ID:1809799
Lab Progress & Screenshots:
Logged in as wiener.

We find this request, with an identifier to the user of the logged in account.
We will take the request to the “Repeater” and change its “id” field to
“administrator” and send request. We should get in the password in the response
because it is displayed on the account page and as we know in HTML for input
type password, its value is just right there in “value” field. We copy the password’s
value.

We login with administrator’s password.


Administrator’s account page accessed.

Admin panel accessed.

Carlos is deleted, Lab solved.

Lessons:
1) Don’t simply include identifiers of a user in when he sends a request.
2) With minimal HTML knowledge, password’s value was deduced from response.

You might also like