Weak isolation on dual-use endpoint

imagine we have this website.

now let’s try to login.

now let’s try to change the password of the user.

now let’s try to change the name to administrator and see what will happen.

notice that it said that the current password is incorrect

put let’s try to remove the current password parameter and send the request again.

notice that it said we changed the password successfully and what happen here is that the application is not forcing to check the current password before reseting the password.

now let’s go and login to the admin account

now let’s navigate to the admin panel.

now let’s remove the user carlos.

and we solved the lab.