Weak isolation on dual-use endpoint

Description

This lab makes a flawed assumption about the user’s privilege level based on their input. As a result, it is possible to exploit the logic of its account management features to gain access to arbitrary users’ accounts.

Reproduction

  1. With Burp running, log in with wiener:peter and access the account page.

  2. Change the password.

  3. Study the POST /my-account/change-password request in Burp Repeater.

  4. Notice that if you remove the current-password parameter entirely, you are able to successfully change the password without providing the current one.

  5. The user whose password is changed is determined by the username parameter. Set username=administrator and send the request again.

  6. Log out and notice that you can now successfully log in as the administrator using the password just set.

  7. Go to the admin panel and delete Carlos to solve the lab.

PoC

Exploitability

An attacker will need to log in; access the administrator account and delete Carlos.