User ID controlled by request parameter | Dec 14, 2022
Introduction
Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: User ID controlled by request parameter! Without further ado, let’s dive in.
- Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆
Background
This lab has a horizontal privilege escalation vulnerability on the user account page.
To solve the lab, obtain the API key for the user carlos and submit it as the solution.
You can log in to your own account using the following credentials: wiener:peter
Exploitation
Home page:
Login as user wiener:
Let’s view the source!
[...]
<section class="top-links">
<a href=/>Home</a><p>|</p>
<a href="/my-account?id=wiener">My account</a><p>|</p>
<a href="/logout">Log out</a><p>|</p>
</section>
[...]
In here, we can see the /my-account page can supply an id GET parameter!
What if I change it to another users? Like user carlos:
Boom! I’m user carlos, and found his API key!
What we’ve learned:
- User ID controlled by request parameter