1. Web Security Academy
  2. Business logic vulnerabilities
  3. Examples
  4. Lab

Lab: Weak isolation on dual-use endpoint


This lab makes a flawed assumption about the user's privilege level based on their input. As a result, you can exploit the logic of its account management features to gain access to arbitrary users' accounts. To solve the lab, access the administrator account and delete Carlos.

You can log in to your own account using the following credentials: wiener:peter