User ID controlled by request parameter, with unpredictable user IDs
This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs.
Reproduction and proof of concept
Find a blog post by
carlosand observe that the URL contains his user ID. Make a note of this ID.
Log in with
wiener:peterand access the account page.
Change the “id” parameter to the saved user ID.
Retrieve and submit the API key.
An attacker will need to log in, find the GUID for
carlos, then submit his API key as the solution.