User ID controlled by request parameter, with unpredictable user IDs

This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs.

Upon logging in as "wiener," I noticed that my account was associated with a GUID in the URL:

https://***.web-security-academy.net/my-account?id=4e5a7f7c-7bac-4278-a3d4-1bfe75f53e4a

To access "carlos" account, I needed his GUID. After a thorough search, I stumbled upon a blog written by him at:

https://****.web-security-academy.net/blogs?userId=55489696-7fe5-4ff3-8457-23e4f6d1c601

By substituting my ID with his in the URL, I successfully accessed "carlos" account and could proceed to submit the API key, ultimately solving the lab.

PreviousUser ID controlled by request parameter NextUser ID controlled by request parameter with data leakage in redirect

Last updated 1 year ago