Broken Access Control - Lab #10 User ID controlled by param with password disclosure | Long Version

In this video, we cover Lab #10 in the Access Control Vulnerabilities module of the Web Security Academy. This lab has user account page that contains the current user's existing password, prefilled in a masked input. To solve the lab, we retrieve the administrator's password, then use it to delete carlos. ▬ ✨ Support Me ✨ ▬▬▬▬▬▬▬▬▬▬ Buy my course: bit.ly/30LWAtE ▬ 📖 Contents of this video 📖 ▬▬▬▬▬▬▬▬▬▬ 00:00 - Introduction 00:13 - Web Security Academy Course (bit.ly/30LWAtE) 01:24 - Navigation to the exercise 02:01 - Understand the exercise and make notes about what is required to solve it 02:33 - Exploit the lab 28:11 - Summary 28:24 - Thank You ▬ 🔗 Links 🔗 ▬▬▬▬▬▬▬▬▬▬ Notes.txt document: github.com/rkhal101/Web-Security-Academy-Series/bl… Python script: github.com/rkhal101/Web-Security-Academy-Series/bl… Web Security Academy Exercise Link: portswigger.net/web-security/access-control/lab-us… Rana's Twitter account: twitter.com/rana__khalil

• #
• #security
• #web_security
• #owasp
• #open_web_application_security_project
• #cross_origin_resource_sharing_cors_complete_guide
• #portswigger
• #web_security_academy
• #python
• #offensive_security
• #bug_bounty
• #scripting
• #burp
• #burp_suite
• #oswe
• #offensive_security_web_expert
• #broken_access_control
• #bac
• #access_control
• #access_control_vulnerabilitites
• #owasp_top_10
• #owasp_top_10_2021