Hackzzz - The Notebook

User ID controlled by request parameter

https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter

Level: Apprentice

In this lab we need to obtain the API key of the user Carlos by making a horizontal priviledge escalation.

Here in the users my-accountwe see that we have an API Key
We have a email form, so I intercepted with burpsuite to make some recon on it.

There is nothing interesting in the requests that we are making to change our email.

In the URL we can see that there is an id parameter that identifies a user.
So, we can try to exploit this changing the username.

Now we are in the carlos user account by changing the user id to Carlos username, finally complete the challenge.

PreviousUser role can be modified in user profile NextUser ID controlled by request parameter, with unpredictable user IDs

Last updated 1 year ago