Lab: User ID controlled by request parameter with password disclosure
This lab has an "Account Details" page for users that contains their existing password prefilled in a masked input.
To solve the lab, retrieve the administrator's password, then use it to delete
You can access your own account using
Log in using the supplied credentials and access My Account.
Change the "id" parameter in the URL to "administrator".
View the response in Burp and observe that it contains the administrator's password.
Log in to the administrator account and delete