On this page
User ID Controlled by Request Parameter with Data Leakage in Redirect
Lab
User ID controlled by request parameter with data leakage in redirect · Apprentice
Solution
Given
This lab contains an access control vulnerability where sensitive information is leaked in the body of a redirect response.
To solve the lab, obtain the API key for the user carlos and submit it as the solution.
You can log in to your own account using the following credentials: wiener:peter
Analyzing the task
The lab is very similar to the previous one, except that we need to find the leak in the body of the redirect to the login page.
Recon
Log in as our user. The request:
GET /my-account?id=wiener
The response has the API key.
Okay, send a request for user carlos. The server returns 302, but the entire HTML response is present in the body:
<div>Your API Key is: ltYmzXseKRiFaVJ49joHRJQVKGVmdfbq</div>
Lab solved.
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.