# User ID controlled by request parameter, with unpredictable user IDs #### [Horizontal privilege escalation](https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/access-control-apprentice/access-control/horizontal-privilege-escalation) ## Description This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs. To solve the lab, find the GUID for `carlos`, then submit his API key as the solution. You can log in to your own account using the following credentials: `wiener:peter` ## Solution

we can start login as wiener user

we obtain Wiener's API Key. We can try to return to Home page, and check if there're referrement to Carlos like as posts.

Capturing HTTP response we discover that userId value was changed

Save it (Carlos userID): f26a0928-06ae-4b0d-be0a-ca03266160f0 Go back to My Account page and change the reference adding the new userID:

horizontal privilege escalation done! Send the Carlos' API Key: NEvvgurN9IMYbP0WGQhRNxGCKLHuboPn

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dev-angelist.gitbook.io/writeups-and-walkthroughs/portswigger-web-security-academy/server-side-vulnerabilities/access-control/user-id-controlled-by-request-parameter-with-unpredictable-user-ids.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.