siunam's Website

My personal website

Home Writeups Blog Projects About E-Portfolio

User ID controlled by request parameter | Dec 14, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: User ID controlled by request parameter! Without further ado, let’s dive in.

Background

This lab has a horizontal privilege escalation vulnerability on the user account page.

To solve the lab, obtain the API key for the user carlos and submit it as the solution.

You can log in to your own account using the following credentials: wiener:peter

Exploitation

Home page:

Login as user wiener:

Let’s view the source!

[...]
<section class="top-links">
    <a href=/>Home</a><p>|</p>
    <a href="/my-account?id=wiener">My account</a><p>|</p>
    <a href="/logout">Log out</a><p>|</p>
</section>
[...]

In here, we can see the /my-account page can supply an id GET parameter!

What if I change it to another users? Like user carlos:

Boom! I’m user carlos, and found his API key!

What we’ve learned:

  1. User ID controlled by request parameter