User ID controlled by request parameter, with unpredictable user IDs

Horizontal privilege escalation

Description

This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs.

To solve the lab, find the GUID for carlos, then submit his API key as the solution.

You can log in to your own account using the following credentials: wiener:peter

Solution

we can start login as wiener user

we obtain Wiener's API Key.

We can try to return to Home page, and check if there're referrement to Carlos like as posts.

https://0a3200fc04ca12b780505890009300fd.web-security-academy.net/post?postId=3

Capturing HTTP response we discover that userId value was changed

Save it (Carlos userID): f26a0928-06ae-4b0d-be0a-ca03266160f0

Go back to My Account page and change the reference adding the new userID:

https://0a3200fc04ca12b780505890009300fd.web-security-academy.net/my-account?id=f26a0928-06ae-4b0d-be0a-ca03266160f0

horizontal privilege escalation done!

Send the Carlos' API Key: NEvvgurN9IMYbP0WGQhRNxGCKLHuboPn