User ID controlled by request parameter, with unpredictable user IDs


This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs.

Reproduction and proof of concept

  1. Find a blog post by carlos.

  2. Click on carlos and observe that the URL contains his user ID. Make a note of this ID.
  1. Log in with wiener:peter and access the account page.

  2. Change the “id” parameter to the saved user ID.

  3. Retrieve and submit the API key.


An attacker will need to log in, find the GUID for carlos, then submit his API key as the solution.