User ID controlled by request parameter
This lab has a horizontal privilege escalation vulnerability on the user account page.
After logging in as "wiener," I observed that the username was derived from the "id" value passed in the URL:
https://****.web-security-academy.net/my-account?id=wienerRealizing this, I attempted to manipulate the URL by changing the "id" value to "carlos":
https://***.web-security-academy.net/my-account?id=carlosI then submitted the API key, successfully solving the lab.
PreviousUser role can be modified in user profileNextUser ID controlled by request parameter, with unpredictable user IDs
Last updated