| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Access Control (Horizontal to Vertical Privilege Escalation, Password Disclosure) |
| Difficulty | Apprentice |
| Objective | Retrieve the administrator's password, then use it to delete the user carlos |
User ID Controlled by Request Parameter with Password Disclosure¶
Log in as wiener:peter:
web-security-academy.net/my-account?id=wiener
There's an update email form and an update password form. The password input is prefilled with our own current password (peter), just masked:
<input required="" type="password" name="password" value="peter">
Going to:
web-security-academy.net/my-account?id=carlos
Same horizontal privilege escalation as the earlier labs — we can see Carlos's account page, including his prefilled password field. Changing the input type from password to text in devtools reveals Carlos's actual password in plaintext. A type="password" input with the value prefilled is only masked client-side — the actual value is present in the HTML and trivially revealed by switching the input type to text.
Applying the same technique to the administrator account:
web-security-academy.net/my-account?id=administrator
Same trick reveals the administrator's password. Logging in as administrator and going to /admin:
Deleting carlos:
And delete carlos solve the lab