User ID controlled by request parameter
https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter
Level: Apprentice
In this lab we need to obtain the API key of the user Carlos by making a horizontal priviledge escalation.
Here in the users
my-account
we see that we have an API KeyWe have a email form, so I intercepted with burpsuite to make some recon on it.
There is nothing interesting in the requests that we are making to change our email.
In the URL we can see that there is an id parameter that identifies a user.
So, we can try to exploit this changing the username.
Now we are in the carlos user account by changing the user id to Carlos username, finally complete the challenge.
PreviousUser role can be modified in user profileNextUser ID controlled by request parameter, with unpredictable user IDs
Last updated