User ID controlled by request parameter

This lab has a horizontal privilege escalation vulnerability on the user account page.

After logging in as "wiener," I observed that the username was derived from the "id" value passed in the URL:

https://****.web-security-academy.net/my-account?id=wiener

Realizing this, I attempted to manipulate the URL by changing the "id" value to "carlos":

https://***.web-security-academy.net/my-account?id=carlos

I then submitted the API key, successfully solving the lab.

Last updated