Lab: User ID controlled by Request Parameter with Password disclosure

This lab shows flaws in using request parameters to determine the user alongside displaying the current password for the user once you visit the account page. This can easily be exploited if you usernames for other users. 

I was once again give the usual credentials of user 'wiener' with password 'peter'.

I load the website for looking around:

I then login with my credentials and intercept the requests and responses, and this website calls for users using their usernames in the URL parameters so I modify a request for `/my-account` to get me the account page of the administrator:

This does get me the account page of the admin, but the password seemed to be masked and could not be copied. Luckily on an accidental right click on the password field the drop down menu had the option to reveal password, which I had to manually write out in a text editor window as it couldn't be copied:

In hindsight I should have just looked at the page source as that would have saved me the trouble of typing out this password, but anyway I then logged in using newly found Admin credentials.

I find that the admin panel has now become available for me, using which I delete the user 'carlos'