Lab: Weak isolation on dual-use endpoint
This lab makes a flawed assumption about the user's privilege level based on their input. As a result, you can exploit the logic of its account management features to gain access to arbitrary users' accounts. To solve the lab, access the
administrator account and delete Carlos.
You can log in to your own account using the following credentials:
- With Burp running, log in and access your account page.
- Change your password.
POST /my-account/change-passwordrequest in Burp Repeater.
Notice that if you remove the
current-passwordparameter entirely, you are able to successfully change your password without providing your current one.
Observe that the user whose password is changed is determined by the
username=administratorand send the request again.
Log out and notice that you can now successfully log in as the
administratorusing the password you just set.
- Go to the admin panel and delete Carlos to solve the lab.